Learning to Deceive: Attacker Skill Acquisition in a Vishing Simulation Study
摘要
Social engineering continues to pose a serious threat to information security, not because of its technical complexity, but because it exploits ordinary human behavior. While research has thoroughly examined user susceptibility and awareness training, we know far less about how attackers actually develop their skills in real-world settings. This study follows the learning process of a beginner conducting vishing calls in the Austrian healthcare system. Using a predefined script and some anticipated responses, the attacker, with no prior experience, made 20 phone-based attempts to deceive staff. A successful attempt meant persuading the target to visit a fake internal webpage and read a short code aloud, simulating a harmless but realistic breach. Over time, the attacker quickly moved from hesitant reading to confident improvisation, responding to feedback in real time. Many targets were friendly and helpful, often offering little resistance, which created a reinforcing loop. The attacker gained confidence and refined their approach with each call. These findings show how easily someone can become effective at social engineering through practice alone, and how everyday workplace interactions can unintentionally serve as training ground. For organizations, especially in high-trust environments like healthcare, this points to the need to rethink not just training but also the way communication and challenge behavior are structured.