KnowBe4 has launched a gamified training tool, Spot the Vish, to help organisations train staff to identify voice phishing scams.
The launch comes as phone-based fraud becomes a larger part of the scam landscape in Australia and abroad. Vishing attacks have risen 449% globally, while phone scams now account for about one-third of reported scams in Australia, according to figures cited by the company.
Spot the Vish places users in simulated phone calls where they must decide how to respond to suspicious requests. The scenarios mirror common social engineering tactics, including callers posing as IT support staff or senior executives and creating urgency around password disclosure or money transfers.
Rather than relying on static awareness material, the game asks employees to make decisions during a live-style conversation. Users can end the call, verify the caller through official channels or continue engaging, while the exercise tracks warning signs as the scenario unfolds.
A central feature is a "scam-o-meter" that rises as red flags appear during the call. The game also includes points, penalties and badges intended to reinforce retention and encourage participation.
The new title is the 35th game in the company's training library. It joins other products in the range, including Danger Zone, the Spot the Phish series, Share If You Dare and The Inside Man.
Rising threat
Voice phishing is a growing concern for employers because it targets staff directly and often relies on pressure rather than malware or technical intrusion. Attackers typically impersonate trusted internal or external figures and try to persuade workers to disclose credentials, approve payments or bypass established controls.
Australian losses to scams exceed AUD $2 billion a year, according to figures cited by the company. That has prompted security providers and employers to place greater emphasis on staff behaviour and response training, particularly where a convincing phone call can circumvent formal systems.
KnowBe4, which says it serves more than 70,000 organisations worldwide, has built much of its business around security awareness training and simulated attacks. It has expanded that approach beyond email phishing to cover other forms of social engineering, including collaboration tools and AI-related risks.
Spot the Vish is available through the company's AI-enabled ModStore. The wider training library includes videos, games, quizzes and posters in multiple languages.
Isida Drake, senior vice president of security & compliance eLearning at KnowBe4, said the product was designed around the way vishing attacks unfold in practice.
"An urgent call from what seems to be IT or a high-ranking executive with a high-pressure request for a password or large wire transfer can happen to any employee at any time," Drake said.
"We have gamified the critical threat vector of vishing into an interactive simulation where employees learn in an engaging and memorable way. By participating in the new Spot the Vish game, employees develop the muscle memory needed to help protect their organisations by stopping vishing attacks."
Training shift
The addition reflects a broader shift in cyber defence spending towards employee decision-making as well as technical controls. While email phishing simulations have long been common, voice-based attacks can be harder to test because they rely on tone, urgency and social cues that are difficult to capture in text-based exercises.
For employers, the challenge is not only teaching staff to spot suspicious behaviour but also giving them a clear verification process. In many vishing incidents, the damage occurs when an employee acts quickly under perceived authority and does not pause to confirm the request through a separate channel.
Customer feedback has highlighted the usefulness of varied training formats and multilingual content for international workforces, according to the company. A customer review it cited said the breadth of material helped staff recognise and respond to phishing attempts in a safer setting.
The latest game focuses on the moment of decision during a phone conversation, when the employee must weigh pressure, authority and risk before acting. That emphasis reflects the reality of a scam technique that depends less on malicious code than on persuading a person to make the wrong call.