Learning to Deceive: Attacker Skill Acquisition in a Vishing Simulation Study
2026 (English)In: Human Aspects of Information Security and Assurance: 19th IFIP WG 11.12 International Symposium, HAISA 2025, Mytilene, Greece, July 7–9, 2025, Proceedings / [ed] Steven Furnell; Nathan Clarke, Cham: Springer, 2026, p. 62-74Conference paper, Published paper (Refereed)
Abstract [en]
Social engineering continues to pose a serious threat to information security, not because of its technical complexity, but because it exploits ordinary human behavior. While research has thoroughly examined user susceptibility and awareness training, we know far less about how attackers actually develop their skills in real-world settings. This study follows the learning process of a beginner conducting vishing calls in the Austrian healthcare system. Using a predefined script and some anticipated responses, the attacker, with no prior experience, made 20 phone-based attempts to deceive staff. A successful attempt meant persuading the target to visit a fake internal webpage and read a short code aloud, simulating a harmless but realistic breach. Over time, the attacker quickly moved from hesitant reading to confident improvisation, responding to feedback in real time. Many targets were friendly and helpful, often offering little resistance, which created a reinforcing loop. The attacker gained confidence and refined their approach with each call. These findings show how easily someone can become effective at social engineering through practice alone, and how everyday workplace interactions can unintentionally serve as training ground. For organizations, especially in high-trust environments like healthcare, this points to the need to rethink not just training but also the way communication and challenge behavior are structured.
Place, publisher, year, edition, pages
Cham: Springer, 2026. p. 62-74
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 761
Keywords [en]
security awareness, Social engineering, vishing, Artificial intelligence, Engineering education, Human computer interaction, Industrial management, Information systems, Information use, Network security, Personnel training, Healthcare systems, Human behaviors, Learning process, Real world setting, Simulation studies, Skills acquisition, Technical complexity, Behavioral research
National Category
Information Systems Other Engineering and Technologies
Research subject
Information Systems
Identifiers
URN: urn:nbn:se:his:diva-26013DOI: 10.1007/978-3-032-02504-3_5Scopus ID: 2-s2.0-105021820230ISBN: 978-3-032-02503-6 (print)ISBN: 978-3-032-02506-7 (print)ISBN: 978-3-032-02504-3 (electronic)OAI: oai:DiVA.org:his-26013DiVA, id: diva2:2017039
Conference
19th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance, HAISA 2025, Mytilene, Greece, July 7–9, 2025
Note
© IFIP International Federation for Information Processing 2026.
Correspondence Address: M. Nohlberg; School of Informatics, University of Skövde, Skövde, Sweden; email: marcus.nohlberg@his.se
2025-11-272025-11-272025-12-01Bibliographically approved