Vishing under the microscope: how bad is it and what can you do about it?

Humans have always been a popular target for threat actors. That’s why phishing remains a top attack vector today. More than two-thirds (68%) of data breaches last year involved a “non-malicious human element” such as employees falling victim to social engineering, according to Verizon. But just how big a risk is voice phishing (vishing)?

To find out more, Keepnet ran simulated vishing campaigns against dozens of organizations between January 15, 2023, and January 15, 2024. Presented in Keepnet vishing report, the anonymized results reveal just how susceptible many employees are to voice-based scammers.

Given the potentially critical financial and reputational damage that can stem from vishing, it may be time to revisit your security awareness training program.

Why vishing matters

Humans are social creatures. And we live our lives according to the narratives we construct – to make sense of ourselves and the world around us. That means many of us are perhaps more credulous of the stories that strangers tell us than we should be. These stories are arguably made more believable when they are told to us “live” over the phone, by someone impersonating an official or authority – like a bank manager or police officer.

Vishing attacks could be launched to accomplish a variety of goals, but usually they focus on:

• Obtaining passwords/logins to enterprise resources like SaaS apps, back-end cloud resources or corporate networks
• Password resets for targeted accounts (eg, if the visher is calling the IT help desk)
• Requesting a transfer of corporate funds to a bank account under the fraudster’s control (a variation on the business email compromise scam)

These efforts have become more convincing still thanks to spoofed CallerID tools, which help to hide the caller’s true identity and help the scammer seem more legitimate. And deepfake audio/video, which can even impersonate senior officials in an organization. One firm lost $25m after an employee fell for AI-powered trickery impersonating the company’s CFO.

What did we find?

Our vishing simulation campaign revealed some concerning findings:

• 7% of those who picked up the phone fell for the scam. That may not sound like much, but even one successful vishing attack could lead to a serious data/security breach
• 40% did not pick up – however, it’s not clear if this was because they suspected fraud, or if they didn’t answer for other reasons. If the latter, they could still represent a security risk
• 53% were aware that the call was a scam – they either hung up quickly or declined to share sensitive data

Our research also found that some sectors and roles are more at risk than others:

• 19% of respondents in the Manufacturing & Engineering sector fell for our vishing tactics
• 18% of targets in the Entertainment & Media fell for the vish
• 12% of those working in Customer Support were successfully vished
• 7% of IT workers were caught out

What happens next?

Vishing is playing an increasingly important role in the threat landscape. Whether it’s a targeted attack on an IT helpdesk, as part of a major ransomware operation, or an opportunistic hybrid attack which may begin with a spam phishing email – the threat is real. So what can your organization do to avoid becoming the next victim?

Consider the following:

Personalize training for specific departments/roles: Those identified as most at risk should receive specialized training focused on the scenarios they’re most likely to encounter. Departments and roles like sales and customer support, which communicate more often with external sources, are particularly at risk. Simulation software can help here, while interactive workshops and role-playing exercises can enhance engagement and retention of information.

Ensure training is relevant for your industry: Customized training modules will help to address the unique threats facing your specific sector – and provide more practical, helpful and relevant guidance for employees.

Drive continuous learning: The bad guys never stop innovating and experimenting, meaning your vishing training programs must continuously adapt to ensure staff always have up-to-date awareness of the latest malicious tactics and techniques. Encourage employees to share and learn from each other to create a culture of vigilance.

Consider employee awards: Reward employees who successfully identify and report vishing attempts in order to motivate others and help create a security-by-design culture.

Improve reporting: Simplify the process of reporting suspected vishing attempts to encourage staff to flag suspicious calls without fear of reprisals. It should be quick, seamless and appraised without judgement.

The right tools can help deliver on all of these goals. They should be easy to deploy, manage and update, with customizable scenarios and advanced reporting. Even better – look for managed vishing awareness services that take the strain off IT teams completely. We found that adding regular vishing simulations to cybersecurity training helps employees recognize and respond to voice phishing attacks with a success rate of up to 90%.

Vishing is here to stay. But like any cyber risk, it can be managed with the right approach.

To find out more, read Keepnet’s 2024 Voice Phishing Response Report here.