How a European Bank Improved Vishing Defense
"Discover how a European bank boosted employee awareness to identify voice scams by 92% in just six months, reducing incident response costs by 38%."
Introduction
A large European bank operating in four countries with 40,000+ employees was frequently targeted by voice scams.
They had a cybersecurity awareness program in place. But still, they had been inundated with complaints from employees and customers, who claimed that the attacks violated their privacy, caused panic, and put them at risk of data breaches.
This company looked into the complaints and discovered that some users didn't report attacks. At the same time, few employees were able to identify the scam and avoid falling for it.
Successful Outcomes
Prevented a $5.4M potential loss annually.
Improved employees' ability to recognize and report fake phone calls by 92% within the first 6 months.
Promoted secure behavior among employees.
The Risk of Inaction
Not complying with local and international regulations such as HIPAA, CCPA, NIST, GDPR, PCI DSS, etc., may face legal sanctions and reputational damage. At this point, restoring client confidence was one of the essential tasks for this bank.
Along with these, there was the risk of productivity and financial loss. Dealing with vishing cases took up a significant amount of time and cost the company. Brand damage and the loss of customer trust would also result in additional revenue loss.
Voice scams are sometimes used with other social engineering attacks like smishing or phishing messages to bypass multi-factor authentication, get a one-time password, or download malicious attachments—all of which could cause the illegal sale of sensitive data.
Over and above this, the lack of adequate protection and monitoring of employees who start working from home has created a separate risk, especially given that they are more open to vishing attacks.
Potential Loss Prevented
Average reported loss per person | $502 |
Employees recognizing and reporting Vishing | %62 to 92% in 6 months |
The total potential loss prevented: $5.4m annually | |
Costs Saved From Incident Response
Avg. time to respond to a Vishing incident | from 18 hours to 7 hours |
The average cost of one staff | $60 per hour |
The cost of a single Vishing incident reduced | from $1,080 to $420 |
The average number of Vishing incidents reported per year | 260 |
The total estimated cost saving is $171,600 annually (reducing cost from $280,800 to $109,200) | |
The difficulties above solely involve employment expenses, and triage is expected to cost more than that and could take up to two weeks to complete; losses could be more. For instance, according to a report from CNBC, nearly one in three Americans say they have fallen victim to a phone scam in the past year, with the average reported loss being about $502 per person [1]. Another report from Truecaller estimates that the number of victims seems to be increasing year after year, 68.4 million Americans fell victim to a phone scam in the past 12 months and lost $29.8 billion to scam calls. [2].
How the Bank Succeded to Minimize Vishing Risks
Achieved a 92% success rate in identifying voice scams during vishing campaigns within 6 months.
Reduced the number of vishing cases, boosting business productivity.
Improved the mechanism for reporting incidents and following up on them.
Reduced employee stress and anxiety levels, enhancing overall productivity.
Operational Results
Ensured long-term compliance with new vishing security procedures and a vishing incident response playbook.
Provided continuing and deep-rooted protection against vishing attacks.
Minimized ransomware risks through experienced handling of different attack types.
Saved $5.4M annually from potential losses
Strategic Results
Identified employees who fell for voice scams and ignored incident reporting.
Monitored and enhanced existing incident response routines, revealing gaps and improving procedures.
Implemented training programs incorporating behavioral science elements like reinforcements, nudges, and other exercises to promote secure behavior.
Tested employee compliance with security policies and improved behaviors through targeted training.
Implemented and tested new technology to block spoofed calls and known fake numbers.
Updated their threat sharing policy to include attacker profiles and tactics, informing authorities and other financial organizations about threats for proactive prevention.
“We recognized the need to improve our cybersecurity awareness program and protect employees from devastating voice scams. By implementing vishing simulations and enhancing our processes, we increased our control over vishing attacks and eliminated them 12 times faster. Our employees showed a 92% improvement in recognizing fake phone calls.”