Subscribe to the Non-Human & AI Identity Journal

What breaks when organisations rely on awareness training alone against vishing?

Awareness training breaks down when the attacker can adapt tone, urgency, and context in real time. A trained user may still comply if the workflow allows them to escalate a case verbally or if support staff can override controls after a convincing call. Training helps, but only if it is backed by hard verification steps and restricted exceptions.

Why This Matters for Security Teams

Awareness training is useful, but vishing succeeds because it targets process weakness, not just user judgment. A caller who sounds credible can bypass a trained employee when the organisation has permissive callbacks, vague escalation rules, or help desk scripts that prioritise speed over verification. That makes the issue a control-design problem as much as a human-factor problem. NIST’s NIST Cybersecurity Framework 2.0 treats awareness as only one element of a broader governance and protection model. NHIMG research on MGM Resorts Breach 2023 — Scattered Spider shows how social engineering can move from a conversation to account compromise when identity checks are weak. In practice, many security teams discover the gap only after a help desk exception has already turned a persuasive call into an authorised action.

The real failure mode is assuming a trained person can compensate for an untrusted channel. Vishing attacks exploit timing, authority, and context, then route around awareness by pushing staff toward exceptions, resets, and urgent approvals. Even well-run training can decay if the workflow rewards helpfulness more than verification. Current guidance suggests treating inbound voice requests as untrusted until a separate, stronger control confirms the requestor and the request.

Operationally, that means designing controls around the call path itself. Security teams should require a verified return channel, step-up approval for sensitive changes, and documented challenge-response steps for help desk actions. The NIST CSF 2.0 functions map well here: govern who may approve exceptions, protect the process with stronger checks, and detect suspicious identity events before they become access changes. Where identity is involved, the strongest signal is not how convincing the caller sounds, but whether the workflow can resist a convincing caller. NHIMG’s analysis of the Caesars Entertainment Breach 2023 — Scattered Spider illustrates how voice-based manipulation can be enough when operational exceptions are too easy to obtain. These controls tend to break down when support teams are measured primarily on speed, because verification steps are then treated as friction rather than the control itself.

  • Use callback verification to a known number or directory entry, not to the number provided by the caller.
  • Require step-up checks for password resets, MFA changes, payroll changes, and privileged access requests.
  • Limit what help desk staff can override, and log every exception with reviewer identity and justification.
  • Separate awareness training from process design so that users are not expected to compensate for weak controls.
  • Test the whole workflow with social engineering scenarios, not just annual training completion.

One useful indicator is whether the organisation can explain, in one sentence, what a support analyst must do when a caller claims to be an executive with urgent access needs. If that answer is inconsistent, awareness training is acting as a substitute for control design, which is the wrong dependency.

Common Variations and Edge Cases

Tighter voice verification often increases friction, requiring organisations to balance user experience against stronger fraud resistance. That tradeoff becomes more difficult in shared service desks, outsourced support, and emergency-response environments where staff are expected to act quickly. Best practice is evolving, and there is no universal standard for every callback or override scenario, especially when legitimate business urgency is high.

Some environments deserve special handling. In healthcare, finance, and executive support, attackers often exploit service expectations and time pressure, so awareness alone is weakest where the cost of delay is highest. In hybrid and remote operations, personal mobile numbers, softphone systems, and messaging tools can create multiple “trusted” channels that are hard to govern consistently. The strongest programs pair training with process proof: identity verification, documented escalation limits, and monitoring for unusual support actions. This is also where identity and NHI governance intersect, because a stolen or spoofed identity on the phone can trigger downstream credential resets or privileged changes. Where the request touches privileged access, controls should align with formal access governance rather than informal trust.

For teams assessing maturity, the question is not whether people remember the training, but whether the workflow still holds when the attacker is persuasive, urgent, and technically informed. Awareness is necessary, but it is not a control boundary by itself.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK and OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AT-1 Awareness training helps, but it cannot be the only defense against social engineering.
MITRE ATT&CK T1656 Vishing is a social engineering technique used to manipulate victims into action.
OWASP Non-Human Identity Top 10 Voice-driven compromise can lead to credential resets and NHI abuse downstream.

Use awareness as a baseline and pair it with hard verification and exception controls.