Phishing has evolved far beyond generic password-reset scams. Attackers study their targets, adapt to local languages, and time lures to news cycles. Security teams need to keep pace without burning cycles to hand‑craft every phishing test.
That’s why we’re excited about vibe phishing: the ability to create campaigns in natural language — “a fake HR policy update in Turkish with our company’s branding” — and instantly generate a realistic, multi-channel phishing campaign and landing page. It’s like “vibe coding” with Cursor, but for phishing defense: you express the idea, and the system builds it.
It’s idea in, simulation out, purpose‑built for modern social engineering defense. Doppel’s approach pairs agentic AI with a real‑time threat graph so simulations mirror how campaigns actually occur across channels.
1. Specify the exact brands, lures, and flows
Social engineering campaigns mimic the precise look and tone of tools your employees trust, like your HR platform, expense system, or benefits portal. Write prompts that name the real services, assets, and UX details employees see daily:
“Create a fake Doppel password reset with our logo and an SSO button.”
Avoid internal shorthand (“WD”) that a model may not recognize and that attackers wouldn’t use. The more specific your brand and workflow cues, the more realistic and insightful the simulation.
2. Localize for global teams
Phishing doesn’t stop at English. If you have employees in Turkey, Germany, or Japan, prompt explicitly for language and locale conventions (“in Turkish,” “write this lure in German”).
English‑only tests leave blind spots for non‑English teams — the same gaps some campaigns exploit. Localized simulations give you a true read on readiness across regions.
3. Embrace complexity and personalization
Sophisticated threat actors research their targets, scraping LinkedIn for job titles, watching company announcements, and tailoring messages to roles and departments. Your simulations should mirror that reality.
Ask the platform to weave in role‑specific context:
“Target finance with a fake invoice approval.”
Reference internal projects, or chain touchpoints, such as an email followed by a Slack DM. The goal isn’t to trick employees for sport, it’s to match the layered, multi‑step attacks they’re most likely to face.
4. Tie campaigns to real company and industry moments
Timing is a weapon. Funding rounds, product launches, leadership changes, or major security incidents create distractions attackers exploit. Use vibe phishing to spin up timely campaigns: “Simulate a breach notification about the npm supply‑chain incident for engineering,” or “Create a fake HR update about our new office opening.” Testing during live moments shows how people react under realistic pressure.
5. Go truly multi-channel, email is just the start
Modern campaigns span inboxes, SMS, LinkedIn DMs, Teams/Slack, and phone calls, increasingly with deepfake voices.
Specify channels in your prompt:
“Send a Teams message about an urgent security update and follow with a phishing landing page”
Assess where employees are most vulnerable. Doppel’s simulations are built for multi‑channel execution, not just email clicks.
Why this matters
Phishing isn’t one‑size‑fits‑all, and training shouldn’t be either. Vibe phishing, using natural‑language prompts that generate tailored, brand‑aware, multi‑channel campaigns, helps security teams match bad actors’ creativity and speed.
Instead of spending hours designing each test, you describe the idea and get a polished campaign that measures real outcomes, not vanity metrics. Doppel’s threat‑graph foundation links signals across domains, social, ads, messaging, and more, so you can simulate — and defend against — the way social campaigns actually operate.
At Doppel, we’re pioneering this shift: helping security leaders launch sophisticated phishing simulations that adapt to their company’s tools, languages, and threat landscape — all with a single prompt.
Ready to try vibe phishing for yourself? Book a Doppel Simulation demo (opens in new tab).
