Vishing (voice-based phishing) is the practice of eliciting information or attempting to influence action via the telephone. This is a very dangerous attack vector that malicious actors are using more and more in recent years. When it comes to vishing attacks on corporations, they often involve callers leveraging company information against the employees.
The threat actors may pose as someone internal. They may impersonate an authority figure or someone inexperienced such as an intern. By talking to employees over the phone, they can employ the use of influence tactics to coerce unsuspecting victims into divulging sensitive information. In the real world, this may even involve the use of fear tactics to scare and or pressure the employee into doing their bidding.
Because of this problem, many corporations take matters into their own hands and deploy defense strategies. Often these defenses include security awareness training, as well as “vishing exercises” for their employees. These vishing exercises may include the use of robocalls or even live human-to-human simulations. But which of these is more effective? And which can have a more positive impact on strengthening the security posture of your company? This article will discuss just that.
Corporations often have a large population of employees. Because of this, they may choose to use robocalls as a means of testing the security awareness of their staff and if they would fall victim to a vishing scam. The call may often be a pre-recorded human message that is played back upon the target answering the phone. It may also just be an automated machine that plays back scripted text once the phone is picked up. Though these types of vishing campaigns are statistically able to cover more ground, it begs that question…do they really help educate employees?
Often, the data that corporations get back from their robocall campaigns is “positive” regarding most employees not falling for the vishing tests. On the surface, it may seem like effective training. However, this data isn’t really saying much. Robocalls present a very noticeable problem, they do not give an accurate representation of what a real attack would look like. Robocalls lack the very thing that real malicious actors use to infiltrate a company…the human element. It lacks the rapport building an attacker would use to influence their target. This is something that robocalls simply cannot offer.
Ask yourself; Would I answer questions over the phone once I realize I’m talking to a robot?
More than likely, none of us would. In the real world, we are bombarded with robocalls so much on a daily basis that we’ve grown all too accustomed to spotting them right away and simply hanging up. For your employees, this likely rings true to them as well. Training your staff to not disclose information to a robot, something they are likely familiar with already, might not be the best use of a training budget.
Why Live Vishing?
So, if robocalls truly are not as effective as they claim to be, what do live vishing calls have to offer? Well for one, live vishing calls can legitimately give an accurate representation of what a real-world attack looks like. Now it is worth mentioning, that when we talk about “live vishing,” we are not referring to call center services that pump out vishing calls at very high volumes. Call centers can match the volume of a robocall campaign. However, they also tend to lack the feeling of a true simulation. Though humans may be making the calls, they tend to use scripts with little deviation from their defined path. As a result, they do not pivot the conversation based on the target’s responses. This does not test the full mental capabilities of your staff in thwarting off a real vishing attack.
On the flip side, a dedicated team of trained professionals in elicitation and social engineering can provide the best possible training for your staff. By using the same elicitation techniques that the bad guys may use and pivoting the conversation based off the target’s rebuttals, it tests the critical thinking skills of your employees. All the security awareness training and speeches they may have sat through in the past is now put to the test. And, as a result they are able to make practical application. This type of application has a lasting effect. It teaches us how to break old habits we may have had and build new “security-minded habits” while on the job.
At Social-Engineer LLC, we pride ourselves on the live vishing services that we provide to our clients. Our team of trained, certified professional vishers provide the best vishing simulations to staff members over live human-to-human phone calls. We do not have a “one size fits all” script for the calls we make. Rather, we work with our clients to tailor custom pretexts that best fit the organization we’re working with. These pretexts effectively test staff member’s knowledge of established policies and procedures when dealing with an unknown caller asking for sensitive information.
We also test employee’s critical thinking skills by using science-based social engineering influence and elicitation tactics. In the real world, an attacker likely will not be dissuaded by a simple “no”. So, we like to keep staff members on their toes for just that scenario. At the same time, we promote a positive atmosphere of education. In the pretexts we use, we refrain from using themes involving fear or threats. Rather, we focus on leaving tested employees “better for having met us.” At the end of the day, we are not the real bad guys. So, it is important not to leave a bad taste in your staff’s mouths about security awareness training. It should be motivation for them to improve.
Cybersecurity Awareness Month
With Cybersecurity Awareness Month around the corner, corporations are already thinking about better ways to train and educate their staff. Stories like the MGM data breach is enough to make any business executive think about the security posture of their company. This is especially true when it comes to defending against vishing attacks! What better way to train your staff than with live vishing simulations. You can get the satisfaction that your staff is being trained with real world scenarios, so they can defend against real world scenarios.
Written by: Josten Peña