Skip to main content

WhatsApp phishing campaigns

A WhatsApp phishing campaign simulates a targeted chat attack: an operator links a real WhatsApp account to Callstrike, then manually chats, as an impersonated identity (e.g. a manager or department head), with a real employee's real phone number over an actual WhatsApp session. Unlike a vishing campaign, nothing is auto-dialed or scripted by AI in real time; the operator types every message live, optionally sending AI-generated voice notes, images, or documents, and records what happened when the conversation ends.

When you link an account, the platform pairs a real WhatsApp Web session to Callstrike and streams the live chat to the operator's browser, keeping the full transcript for the end-of-campaign summary.

Prerequisites

  • A linked WhatsApp account. From the WhatsApp Accounts page, choose "Link existing" and scan the QR code with the phone that owns the number, this pairs a real WhatsApp Web session to Callstrike. A number already linked for the workspace can't be re-paired (the pairing session is closed with "account already exists").
  • A target employee with a phone number already in the employee list.
  • Browser permissions (camera, microphone, notifications, clipboard), Callstrike prompts for these before you can launch any live simulation; if denied, you'll see a permissions modal again on the next launch attempt.
  • Not on a trial workspace: launching a campaign from a trial workspace opens an upgrade modal instead of starting the campaign.

How to use it

  1. Create the campaign. Fill in the Scenario Name and Description (both have an AI-generation assist), the target Employee and Company Name, the Impersonated Identity (a full name and title the target is likely to trust), and pick which linked WhatsApp Account will send the messages.
  2. Review the summary and save as a draft or launch. Launching validates every field from step 1 and moves the campaign to a running state.
  3. Run the live chat. The operator sees a mobile WhatsApp interface connected to the real linked account. From here you can:
    • Send text messages, images, and documents.
    • Send AI-generated voice notes (optionally with an ambient background sound) via the same voice-generation drawer used elsewhere in the app.
    • Update the linked account's display name and "about" status to match the impersonated identity; this edits the real WhatsApp profile that anyone with that number in their contacts can see.
  4. Complete the campaign. Pick a Campaign Outcome (Target Responded and Engaged / Limited Engagement / No Response / Technical Failure) and a Target Vulnerability level, and write (or AI-generate from the transcript) a summary. This marks the campaign completed.

Configuration & options

OptionWhat it doesNotes
Scenario Name / DescriptionDescribes the campaign's goalHas an AI-suggest button once you've typed a couple of words
EmployeeThe real target who will receive the WhatsApp messagesChat is opened against their stored phone number
Company NameFree-text context for the scenarioNot pulled from a directory, typed per campaign
Impersonated Name / TitleThe identity the operator chats asFree text; also used to set the linked account's display name and about
WhatsApp AccountWhich linked account sends the messagesDisabled if no account is linked yet
Voice noteGenerates and sends an AI voice message, with optional ambient backgroundShares the same drawer as other voice-generation features
Campaign Outcome / VulnerabilityRecorded at completionDrives reporting, and stores the summary text

Gotchas & limitations

  • Each linked account is a real, resource-heavy session. Every linked WhatsApp account keeps its own live session running, and these add up. Don't link more accounts than you need active at once.
  • Only one active session per account. Re-linking an account that is already connected replaces the existing session.
  • Sending requires a live, connected session. If the linked account's session has dropped (phone offline, logged out, session lost), sending fails with "Client not active." Relink the account to continue.
  • Profile edits are real and persistent. Setting the display name or "about" text to match the impersonated identity changes the actual WhatsApp account, not a sandboxed view; it stays changed after the campaign ends unless you reset it.
  • A paused campaign looks like a draft. The dashboard shows dedicated views for running and completed campaigns; a paused campaign falls back to the draft view, which can be confusing if you expect a distinct "paused" screen.
  • Nothing is auto-dialed or auto-typed. There's no scripted pacing like vishing calls, every message, image, and voice note in the conversation is triggered manually by the operator.

Best practices

The in-app tips panel on the live chat screen surfaces this guidance directly to operators:

  • Plan the conversation in advance, including your opening message.
  • Prepare voice notes ahead of time so the conversation doesn't stall waiting on generation.
  • Keep messages natural and consistent with what the impersonated identity would plausibly have said before.
  • Use ambient background sounds on voice notes to make them more believable.
  • Watch the target's responses and adapt rather than following a rigid script.

Since profile name and about changes hit the real linked account, reset them after a campaign if you plan to reuse the same number for a different persona later.

Troubleshooting / FAQ

Why is the WhatsApp Account dropdown empty or disabled when creating a campaign? No WhatsApp account is linked yet (or accounts are still loading). Link one from the "Add WhatsApp account" flow, then return to the campaign form.

Why does sending a message fail with "Client not active"? The linked account's WhatsApp Web session has dropped, commonly because the phone went offline or was logged out of WhatsApp Web elsewhere. Relink the account and resume.

Why did re-linking a number I already added fail? The number is already linked as a WhatsApp account for this workspace. Pairing is rejected and the new session is torn down immediately, use the existing linked account instead of re-scanning.

Where do I see the outcome after I complete a campaign? The finished-campaign view shows the recorded outcome, vulnerability level, and summary alongside the message transcript.