The Voice Vulnerability

Phone calls may seem old school, but they're still one of the most effective methods for bad actors to launch a cybersecurity attack. Once the target answers the phone, our human vulnerabilities are available for compromise.

What is Vishing?

Vishing, or voice phishing, is a social engineering tactic that uses a phone call to coerce a potential victim into revealing sensitive information. Bad actors commonly impersonate well-known brands and leverage publicly available information to establish credibility and advance their initiative. Targeted vishing attacks can even combine other techniques like email phishing or smishing (SMS phishing via text message). The combination of the multiple methods builds a more convincing narrative and increases the success rate of the scam. For example, a bad actor could impersonate an IT support technician using a phishing email and follow up the email with a vishing call. The victim may recognize the imposter IT technician's name from the email and is more likely to trust and engage.

History

Vishing attacks have existed since the early 1990s and continue to grow in popularity because they work. Even seasoned employees can be compromised by a skilled social engineer, which can lead to the disclosure of sensitive information, such as credentials, trade secrets, account data, or personally identifiable information. Some of history's most significant data breaches have started with a successful social engineering attack. All the technical controls that you have put in place against cyber attacks are moot if a bad actor can exploit the human element instead.

The effectiveness of vishing stems from both the predictability of customer- or member-facing employee behavior, paired with the unpredictability of third parties or other stakeholders in how they interact with your employees. Vishing attackers are planning on your employees to approach the interaction with social norms and acceptable conduct in mind. The bad guys are counting on your employees to be polite, helpful, and accommodating; they will use tactics like building urgency and setting stakes for the situation (e.g., “I got a notification that my account is overdrawn” or “I have a work order from your supervisor to conduct this test”). Malicious actors also have no shame in tugging on your employees’ heartstrings and relying on sympathy to get what they want (e.g., “My mother is in the hospital, and I need to check her account balance” or “It’s been a long day, and you’re the last employee on my list to confirm this information”). Our vishing simulations will incorporate these same real-world tactics to test your employees who are walking the tightrope between being cooperative and being compromised.

Our Approach

To start, our team works to scope the engagement to fit your needs. For instance, your company may want us to impersonate certain vendors or internal employees to maximize the campaign's effectiveness, or you may leave it up to us to deploy our most successful techniques. After the scoping process, we'll employ strategies similar to those of an attacker, like altering caller ID appearances and prodding the flaws of the human psyche. We aim to give your organization the best possible impersonation of a real-life vishing attack, so your employees are ready when it counts. Upon conclusion of the campaign, we'll provide your organization with a comprehensive report that details how your team performed under pressure.

How to Defend Against Vishing

The first step to avoiding a social engineering scam is end-user training. Education should be administered throughout the year to develop a culture of awareness. After a vishing simulation, it's essential to review the results with your team and give one-on-one guidance to employees who fail the test. Also, your teams should discuss the importance of security awareness in team meetings. The goal is to keep an ongoing dialogue regarding how to protect your organization's data.

Also, ensure your company’s internal policies address vishing and provide guidance on engaging with unknown entities on the phone. Policies should define what information is safe to share over the phone and how to perform out-of-band verification of a caller's identity. It's important to establish what an employee should do if they're suspicious of a caller and how to report an incident through the proper channels.

AI and the Future of Vishing

Artificial intelligence is making its way into our everyday lives. While AI will improve the capabilities of our existing technology, it can also provide an attacker with increased firepower. AI-based voice cloning tools are growing in popularity and ease of use. These tools allow an attacker to clone a target's voice with an audio clip as short as 10-15 seconds. For example, imagine that an attacker cloned the voice of your CEO using publicly available audio from a recent public speaking engagement. If that attacker used the voice of your CEO to call someone in your finance department, do you trust that your employee would be able to uncover the scam before wiring money to an offshore account? Unfortunately, this is an example of a real-world attack that's happened many times and will continue to be a threat in the future.

AI-based tools will increase the rate of vishing attacks and the likelihood of their success. Take action to defend your organization today.

Let's Connect!

Contact Us