Vishing under the microscope: how bad is it and what can you do about it?
Voice phishing is a growing threat. Keepnet's 2024 report shows 70% of companies are at risk, with the Manufacturing & Engineering sectors most vulnerable. Learn how to protect your organization with targeted vishing training and simulations.
2024-06-05
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
The Hidden Danger of Vishing: Protecting Your Organization from Voice Phishing Attacks
Did you know that 68% of data breaches in 2023 involved human error? According to the Verizon Data Breach Investigations Report, most breaches stemmed from social engineering attacks, including phishing and its lesser-known counterpart, vishing. Vishing exploits voice communication to deceive employees into divulging sensitive information.
To uncover the scale of this threat, Keepnet Labs conducted a year-long vishing simulation across multiple industries. The findings, published in the Keepnet Vishing Report, highlight how alarmingly vulnerable employees can be to these voice-based scams.
In this blog, we’ll discuss why vishing is a significant threat, explore the findings from Keepnet’s vishing campaign, and outline practical strategies to fortify your defenses against this evolving cyber risk.
Why Vishing Matters
Humans are inherently social and responsive to authority, making them prime targets for manipulation. Unlike email phishing, vishing leverages real-time interactions, making fraudulent requests feel more urgent and credible. Scammers often impersonate trusted figures, such as bank managers or IT support, to coerce victims into:
- Revealing login credentials for corporate systems.
- Approving fraudulent financial transactions.
- Resetting passwords to grant attackers unauthorized access.
Advanced tools like spoofed Caller ID and deepfake audio amplify the realism of these scams. In one case, a UK-based company lost $25 million after an attacker mimicked the CFO’s voice using AI.
Findings from Keepnet’s Vishing Simulations
Between January 2023 and January 2024, Keepnet ran simulated vishing campaigns targeting employees in various sectors. Here’s what we discovered:
- 7% of employees who answered the calls fell for the scam. While this may seem small, even one successful attempt can cause severe damage.
- 40% didn’t answer the calls. It’s unclear if this was due to suspicion or other reasons, leaving their risk profile undetermined.
- 53% recognized the scam and refused to share information.
Industry Vulnerabilities
Certain sectors and roles proved more susceptible:
- Manufacturing & Engineering: 19% fell for vishing attempts.
- Entertainment & Media: 18% were deceived.
- Customer Support Staff: 12% failed the simulation.
- IT Workers: Surprisingly, 7% succumbed to vishing.
Strategies to Mitigate Vishing Risks
Given the evolving sophistication of vishing, organizations must adopt proactive measures to safeguard against such attacks.
1. Personalize Training for Vulnerable Roles
Tailor security training for high-risk departments like customer support and sales teams that frequently interact with external contacts. Use vishing simulation tools to mimic real-world scenarios.
2. Customize Training to Industry Threats
Industries face unique risks. For example, manufacturing firms may be targeted for intellectual property, while media companies could face reputation-damaging leaks. Sector-specific training ensures employees are equipped to counter targeted attacks.
3. Foster a Culture of Continuous Learning
Cyber threats evolve constantly. Organizations must:
- Regularly update training modules.
- Host interactive workshops to maintain engagement.
- Encourage peer learning through shared experiences.
4. Reward Vigilance
Recognize and reward employees who successfully identify and report vishing attempts. This fosters a positive security culture and motivates vigilance.
5. Streamline Reporting Mechanisms
Simplify the process for reporting suspicious calls. Employees should feel confident flagging potential threats without fear of judgement.
The Role of Technology in Vishing Prevention
The right tools can make all the difference. Look for solutions that offer:
- Customizable vishing simulations for different roles and industries.
- Detailed analytics and reporting to identify high-risk groups.
- Automated updates to stay ahead of emerging threats.
Managed vishing awareness services can offload the burden from IT teams, ensuring consistent and effective training. Keepnet Labs found that organizations implementing regular simulations achieved up to a 90% success rate in identifying and mitigating vishing attempts.
Conclusion
As voice phishing becomes an increasingly common attack vector, organizations must prioritize vishing awareness training and proactive defense measures. By combining customized training, a culture of vigilance, and advanced tools, you can minimize the risk of vishing-induced breaches.
For more insights, download Keepnet’s 2024 Voice Phishing Response Report and start safeguarding your team today.
Editor's Note: This blog was updated on December 9, 2024.
SHARE ON