During the past 6 years at Social-Engineer, LLC (SECOM) we’ve made over 45,000 calls to companies all over the world. Banks, startups, tech firms, pharmaceutical companies, defense contractors, and many other organizations have contracted us to do vishing (voice phishing) calls for them. When we call these organizations to test their employees, our goal is to find out where their defenses are strong, and where they need fortification. Right now, many of these employees are working from home. That makes it a perfect time to review how to manage your vishing defenses from home.
At SECOM we are used to working from home based offices, however we have clients who are not. They are in a new environment, with new challenges and benefits. This will force them to explore and deal with things in new ways. Companies that relied on monitoring software and nearby managers to catch calls and conversations that went poorly may find it hard to keep up with the attacks that are coming from all over the world. Companies who don’t have up to date training for their employees are at a higher risk to fall victim to vishing. These attacks are overwhelming their employees, reaching right inside their homes.
The Progress and Impact of Vishing
Chris Hadnagy’s breakthrough book, Social Engineering, The Art of Human Hacking, published in 2010 detailed many of the common tactics and techniques of bad actors. Times change, and Chris will tell you to read his new and updated book, Social Engineering: The Science of Human Hacking, instead. While the principles Hadnagy writes about may be similar, the methods we see today are constantly adapting. Attacks targeting an employee may leave their machine compromised, revealing company data and how to access it remotely. There is also a personal risk involved for employees working from home. A compromised machine may give the attacker their home’s location, list devices on their personal network, and more. News reports are already detailing how attackers are using voicemail-based attacks, hitting over 100,000 work from home targets already.
These reports show that one of the most dangerous attacks out there is a simple phone call. It’s effective, personal, and very flexible in its approach. But with attacks evolving and adapting, how can you protect your employees from falling victim to a vishing attack?
Defensive Techniques Applied
Applying defensive techniques will equip your employees to recognize and avoid vishing attacks. Here are six that we recommend.
Employees should be taught what information they should be sharing and with whom. If not, they will not be able to do their jobs properly and they won’t be able to defend themselves and the company. By putting policies in place, you give your employees a way out. If company policy doesn’t allow the sharing of certain information, employees are able to say no without feeling guilty or that they’re being rude.
Relying on employees to be secure without training never works. A direct quote from one of the members on the SECOM Vishing Team: “I actually love when people try to ‘catch’ me” Afterwards he mentioned, that when they are in that mindset, they always give up compromising information. Without proper training and policies set in place, employees are less likely to recognize the attack, and a skilled attacker can exploit that to gain more information. This is especially the case when an employee has a rush of confidence from believing they’ve “caught” an attacker.
Have a policy in place that allows them to verify vendors and fellow employees. Verification processes equip your employees to take positive action against attackers. You don’t want them hanging up on actual, real vendors and customers who have slightly off questions or personalities.
4. Give employees the power to end the call
If employees are trained to be cordial and friendly and let the caller dictate the length and pace of the call, they become vulnerable. The “customer is always right” policy adds immense pressure on your employees to agree with requests making them afraid to say no. Similarly, making the employees resolve calls within a certain time limit, or face repercussions, actively empowers attackers and puts stress on the employees that will lead to a compromising reveal of information. Put it within their power to decide when they can end the call.
5. Escalation protocols
Your employees need to be able to send a caller to someone higher up when they get suspicious. Whether that’s a dedicated line to a group specifically in charge of security, or to their manager. It may be good to send out a reminder email to all your employees working from home about how exactly to escalate their concerns.
6. Give your managers extra security training
So many times over the years, suspicious and intelligent employees have directed us to managers, and then we compromised the organization through the manager. That means that managers themselves need better training in the security and proper handling of calls and information. Likewise, if an employee doesn’t feel comfortable sending calls to their manager, or even asking them questions, then attackers can very easily apply pressure and the employees have no recourse.
The Importance of Readiness
Why is it now even more important to apply defensive techniques in a home environment? Because, people are stressed. They are working in a different environment than they are used to, and that can affect their mindset, leading to lapses in security. There need to be systems in place for communication in the company when they’re not in close physical proximity. Sometimes when testing, we are caught simply because one person overheard a suspicious conversation in a neighboring cubicle. Sometimes a company becomes more defensively minded when they are discussing strange phone calls over lunch or during a coffee break together. Attackers are also preying on the claustrophobic environment many are living in with stay-at-home orders. People want to talk to each other; they often miss the camaraderie that they are used to. All those things can become a vector for attackers to be especially effective right now.
These guidelines are effective at every level. They come from first-hand accounts of what stops the team at SECOM during vishing engagements. Real stories from clients dealing with attackers have helped us refine what is important, and now we’re sharing it here. These steps are vital to protecting your employees and your company while so many are working from home. They are simple, human, trainable things that you can institute without needing to rely on a new technological solution. Stand guard and keep these principles in mind when selecting training and designing policies for your company. Keep an eye out for our continuing updates on new attack vectors and ways to defend against them.