NINJIO Webinar Recap: What a Live AI Vishing Call Reveals About Emotional Manipulation
Key Takeaways
- Emotion drives the click: Most employees click on a malicious email within one minute of receiving it. Attackers engineer that response speed by targeting emotional states before rational thinking can engage.
- Click rates reflect template difficulty: In one real program, 700 of 713 employees had been lured at some point, while the organization’s click rate held at 10.69%. The headline metric and actual workforce exposure told very different stories.
- Emotional susceptibility varies by person: The trigger that makes one employee click is rarely the same one that catches their colleague. Generic post-click retraining addresses neither vulnerability with any precision.
- Phish reporting is a measurable security outcome: A single employee reporting a suspicious email can interrupt a campaign running against the entire organization.
In a recent NINJIO webinar, Chief Innovation & Information Security Officer Matt Lindley and Enterprise Security Consultant Erica Santana examined how cybercriminals engineer emotional responses that fire before rational thinking can engage, and why most security awareness programs are not built to address that side of the human layer.
What Are Current Phishing Programs Built to Measure?
Phishing programs report click rates, which measure how many individuals interacted with a phishing email template in a simulation cycle. Your organization’s cybersecurity team may interpret that number as an indicator of a template’s difficulty alongside workforce vulnerability.
While simulation report data may seem straightforward, it does not tell the full story cybersecurity leaders need to improve security culture.
One organization’s initial baseline:
- Click rate: 10.69% — 6.69 points above industry benchmark
- Employees lured at least once: 700 out of 713
Those two numbers describe the same workforce but imply significantly different levels of risk. A click rate just below 11% suggests a manageable problem that can be improved over time. The distinct lured user count reveals that nearly the entire workforce had been successfully targeted in the baseline simulations.
| Metric | What it measures | What it misses | Best used for |
| Simulated phishing click rates | Interaction with a tested phishing template per cycle | Overall exposure across the full program | Benchmarking template difficulty |
| Distinct lured user count | Unique employees caught at least once | Why those employees were susceptible | Understanding true scope of exposure |
| Emotional susceptibility profile | Which psychological triggers drive behavior per individual | Nothing; this is the fuller picture | Personalizing security coaching and prioritizing risk |
What Emotional Triggers Do Cybercriminals Use in Social Engineering Attacks?
NINJIO’s analysis of nearly 2 million social engineering simulations found that most clicks happen within one minute of an email arriving. That decision window is what attackers design for. These three emotional triggers below account for the majority of successful attacks:
- Urgency compresses an individual’s window of time to decide. Phishing campaigns timed around high-pressure periods such as quarter close or the days before a holiday work because most people are already overloaded cognitively, and their capacity to pause and evaluate is reduced.
- Obedience reduces someone’s resistance to following an instruction. When a message appears to come from a figure of authority, the instinct to comply often overrides the instinct to verify. This trigger underpins one of the most financially significant attacks on record: a deepfake call that used obedience to extract $25 million from a single organization.
- Fear adds consequence to urgency. For example, a cybercriminal may push a deadline paired with a threat of suspension or loss of access to create compounding pressure that is harder to resist than either trigger alone.
Matt Lindley framed the underlying dynamic this way during the webinar:
“The e-mail, the text, the phone call, the QR code — even the deep fake voice, those are just delivery mechanisms. The real payload is psychological.”
What Is an Emotional Susceptibility Profile and How Does It Reduce Phishing Risk?
Many cybersecurity awareness training service providers send a generic follow-up lesson after someone clicks on a simulated phishing test.
That does not reduce phishing risk efficiently because it ignores the reason why someone clicked. Your cybersecurity team may be sending the same remediation training to everyone who clicked in a phishing simulation, regardless of which emotional trigger drove that behavior.
NINJIO PHISH3D, a three-dimensional phishing simulation program, builds an emotional susceptibility profile for each individual over time.
| Dimension | What it tests | How it personalizes the program |
| Attack vector | Which delivery formats an employee engages with, including email and voice-based channels | Simulation delivery is weighted toward the formats an individual shows susceptibility to |
| Emotional susceptibility | Which of seven emotional triggers consistently drives a click for a given user | Coaching is assigned based on the individual’s susceptibility profile rather than a generic post-click module |
| Difficulty level | How sophisticated an attack needs to be to deceive a user at their current performance level | Difficulty scales as users demonstrate stronger detection, keeping the program a genuine test |
High-difficulty simulations personalize simulated phishing content the way a real threat actor would, such as by referencing a manager’s name, an individual’s role, and organizational context sourced from publicly available information.
That is exactly what the live voice phishing demonstration in the webinar showed.
What Does a Live AI Vishing Simulation Reveal About Social Engineering?
To show what a high-difficulty simulation feels like from the victim’s perspective, Erica Santana ran a live demo using the NINJIO Sensei AI Vishing Simulator, an AI-powered capability inside NINJIO PHISH3D that recreates voice and meeting-based social engineering scenarios.
The simulation dropped her into a spoofed Microsoft Teams environment, where an AI-generated caller used her manager’s name and kept the pressure on across several rounds of skepticism. Here is a short excerpt from that exchange:
Lauren Roberts (AI): Heather personally nominated you for an exclusive two-day leadership event. I just sent the registration link to your chat. You’ll need to sign in with your work email to claim your spot.
Erica: I wasn’t expecting a call. I’m going to call Heather real quick and validate.
Lauren Roberts (AI): Erica, Heather is the one who sent me to get you registered right now before the final spots close. She’s expecting you to be there and your team is already confirmed. Just click the link.
Erica: Okay, if you say so, I will click the link… and oh. Okay.
The full demonstration, including the dashboard walkthrough that shows how simulation data builds individual emotional susceptibility profiles, is in the on-demand recording.
Why Should Your Phishing Program Measure Reporting Rates?
A user who reports a suspicious email quickly can interrupt an active campaign before colleagues receive the same attack.
As AI enables cybercriminals to personalize phishing campaigns and deploy them simultaneously, your workforce’s phish reporting rate becomes a more meaningful indicator of program effectiveness than just click rates.
Monthly simulation programs produce measurably better outcomes than annual cybersecurity awareness training cycles:
- Lower lured rates as individuals build familiarity with manipulation patterns across formats and difficulty levels
- Faster reporting response times as recognition develops into a reflex rather than a deliberate checklist
Individuals who encounter realistic scenarios regularly learn to recognize what manipulation feels like when it is happening. That felt recognition produces the pause that stops the breach.
What Does a Complete Human Risk Management Program Look Like?
A complete human risk management program requires four layers working in sequence. Each one addresses a gap the others cannot.
| Layer | What it does | What’s missing without it |
| Engaging awareness training (NINJIO AWARE) | Delivers short-form, scenario-based content that builds foundational recognition of how social engineering operates | Employees recognize attack formats but not the emotional manipulation that makes them effective |
| Adaptive phishing simulation (NINJIO PHISH3D) | Tests employees across attack vectors and emotional trigger patterns at varying difficulty levels to surface individual susceptibility data | Click-only tracking collects outcome data without the behavioral context needed to personalize what comes next |
| Personalized security coaching (NINJIO SENSE) | Uses emotional susceptibility data to assign training matched to each individual’s risk profile | Post-click remediation not matched to a specific trigger misses the mechanism of the vulnerability |
| Technical controls and threat reporting (NINJIO ALERT and NINJIO DEFEND) | Routes employee threat reports into automated scanning workflows and connects behavioral intelligence to SOC-level detection and response | Awareness data stays siloed from the security stack, so employee-reported signals cannot inform or accelerate incident response |
Watch the Full Webinar: Emotional Susceptibility and the Human Side of Phishing
This is a small slice of what the session covers. Matt Lindley and Erica Santana also walk through the full NINJIO Insights reporting dashboard live, showing how emotional susceptibility data translates into program decisions your team can act on immediately.
Frequently Asked Questions
A: A risk score aggregates click and completion data into a single number. A susceptibility profile identifies which specific triggers drive behavior for each individual, which makes coaching far more targeted and far more likely to change behavior.
A: Fatigue comes from repetitive, identical tests. An adaptive program that varies format and difficulty by individual performance stays challenging enough to remain engaging over time.
A: Patterns become actionable after six to nine months of consistent monthly or twice-a-month phishing simulation, depending on organization size and participation rates.
A: Prioritize platforms that track emotional triggers alongside click rates and connect simulation outcomes to personalized security coaching automatically. If post-click training is the same for every user regardless of what caused the click, the platform is measuring outcomes without acting on them.
About NINJIO
NINJIO’s human risk management platform reduces cybersecurity risk through personalized security coaching, engaging awareness training, and adaptive testing. Our multi-pronged approach to risk mitigation focuses on the latest attack vectors to build employee knowledge and the behavioral science behind social engineering to sharpen users’ intuition. Our simulated phishing and coaching tools build a proprietary Emotional Susceptibility Profile for each user to identify their specific social engineering vulnerabilities and change behavior.
