Vishing, a word that was entered into the Oxford Dictionary in 2015, defines what we call “voice phishing”. Using the telephone to phish information from targets could lead to network, personal, or financial compromise. Vishing has become the second largest vector (next to email phishing) that we see today.
Is this just FUD? (Fear Uncertainty & Doubt) No. Reports from Agari and PhishLabs show an increase of 550% between Q1 2021 and Q1 2022 in vishing attacks. This topic is getting more and more notoriety. Even a well-known tech journalist writer, Dan Tynan recently wrote an excellent article on how dangerous vishing is, noting that education, awareness, and critical thinking are essential to saving your company from these attacks.
Although all the above is true, there is a problem with articles like that and even with the available statistics. They are misleading.
Painting with a New Brush
The abovementioned article stated, “Unfortunately, notes Grimes, the big telecoms won’t allow companies like KnowBe4 to make unauthorized voice calls to employees without their permission. So anti-vishing training can’t be conducted in the same way. (Knowing that a vishing call is coming kind of defeats the purpose.)”
This is only true because most companies are using robo-callers. These are automated machines with pre-recorded messages. These machines dial a number and try to dupe a recipient into pressing some buttons to prove vulnerability.
On the surface, this seems like a great idea. In fact, it very closely mirrors what we have done with phishing, sending mass amounts of emails to our clients getting them to click and/or report the suspected test phish.
The problem is, this does not mirror what the actual attackers are doing. In fact, it is the very opposite of what we see in the wild. Think about the last vishing call you received from a real attacker. Perhaps it was “Microsoft calling to help you with errors” or “The IRS calling to say you owe taxes and can pay with gift cards” or “Your child or grandchild calling to get help with bail or a large bill.” Were any of those callers robotic callers? Were any of those calls automated messages?
No, they were not. There was a live human on the other end of the phone, which is why we see the 550% increase in this vector and the much higher success ratio. Real humans make it believable, and that is where the above article had a critical flaw.
In stating that “anti-vishing training can’t be conducted…” it really didn’t paint the right picture for all of you reading it.
What Can Be Done?
Ok so we made a pretty bold claim there, maybe even confrontational. We get it. We don’t take pleasure in it. But it is our duty to educate based on the facts and help keep your data safe. As such, it’s important that we address misinformation when we see it forming.
We feel strongly about this because over the last 10 years, Social-Engineer, LLC has conducted live, active, human-based vishing training totaling thousands of calls a month with amazing success.
One of our case studies highlights how after just three years, working with one client that has over 70,000 employees, we went from a 72.2% compromise ratio to a 33.5% compromise ratio. And we didn’t use even one robo-caller. You can read the entire case study here.
We mimicked what a real attacker would do, using real attack scenarios. This testing had an amazing effect on the client and their population and still does to this day.
Why Even Bring This Up?
Before we decided to write this, we had to ask ourselves, are we just being picky? Are we being combative or argumentative? The short answer is – NO.
As leaders in the field of social engineering, it is our duty to speak up. People may read that article and think – “There is no way to train my people, there is no protection, so maybe we just send them that video once a year and hope for the best.” We could not, in our hearts, let that go when we know there is a solution that can and does work to make an important change in corporate environments.
Attackers are constantly progressing and coming up with new and more effective attacks. Attackers are always improving, always trying to, and succeeding at, manipulating and deceiving us. We must be ready to fight back. Are you as tired as we are of having to worry about every phone call, every email, every text message that comes in? We know this is not a silver bullet for that, but we are willing to spend the time and money to make sure your people are safe. We hope that they spread that security culture in their homes and families so it will spread even wider, creating more security conscious communities.
As with all awareness training, it is not a blinking light that you can plug into your network and become “hacker proof.” It takes time, energy, resources, and effort for it to work. But one thing we can tell you, from performing these very types of tests and audits over a decade and a half now, is that it DOES work.
If you are interested in seeing how we can help your company be protected against real, live vishing attacks, shoot us an email and we would be happy to meet and discuss how we can support you.
Until next time, stay safe.