Vishing (voice-based phishing) is the act of using phone calls or voicemails to trick someone into revealing personal or corporate information. Like traditional email-based phishing, it is important that companies train their employees how to recognize, handle and report vishing attacks. This piece explains how to create an effective anti-vishing program and conduct best-practice vishing exercises to improve user awareness and resilience, without adversely impacting the business.
Challenges of Vishing Awareness Training
Most cybersecurity training programs spend a good deal of time training employees on how to detect and report phishing emails
. However, as the FBI reported
, vishing has seen a significant increase since the beginning of the COVID-19 pandemic and a shift to remote work, and employees who are both in the office and working in other locations are at a higher risk of a vishing attack than they were two years ago.
Vishing attacks can be difficult to educate and train employees on because they are usually:
- Low volume/high impact: Vishing typically represents a very small percentage of overall phishing attacks against a company. However, when successful, vishing can provide the adversary with a foothold inside the network, where lateral movement and privilege escalation can lead to serious consequences.
- Difficult to automate: Unlike automated email messages, most successful vishing attacks require human interaction and conversation, which makes it difficult for security teams to create and conduct repeatable tests.
- Not recorded or scripted: As a result, voice calls limit our ability to analyze and learn. Training must be more general on the techniques, as opposed to having the ability to decompose a phishing email and clearly point out the clues for it being an attack.
These challenges do not mean teams should avoid creating an anti-vishing program—just the opposite. Companies should ensure they regularly run vishing test exercises and train employees on vishing techniques.
Creating an Effective Anti-Vishing Program
To design and execute an effective anti-vishing program, teams should consider four main phases:
- Reconnaissance: Consider both external (or “black box”) and internal vishing. For external, determine what information gathering can be done by someone with little to no knowledge of the company. Social media platforms and corporate websites are excellent sources of information that can contribute to a realistic vishing exercise. Vishing can also occur from inside the company by someone who wants to access something they do not have permissions for. Intranet sites, org charts and even email can be sources of information for internal vishing attacks.
- Scenario development: While a vishing attack cannot be entirely scripted, it is important to write up the scenario, including the “payload” that provides the desired access or information. Some common payloads include:
These scenarios depend heavily on the information gathering performed in the reconnaissance step. Here, the team must also determine which departments or employees will be targeted for the exercise. Execution can be time-intensive because unlike a single email that can be sent to thousands of accounts at once, a vish is best executed by a person speaking to the intended target. Consider this when developing target numbers. The team must also plan out which phones and phone numbers will be used to make the calls. Understanding the phone system the intended target uses is important because it can help you know whether your vish will show up as potential spam on the caller ID. Many cybersecurity training and penetration-testing organizations offer vishing services and can help you navigate more in-depth approaches for your environment and infrastructure.
- A website that captures login information: Here, the adversary asks the victim to navigate to a website and enter their credentials or other data, which is then captured and used to gain further access within the corporate network.
- Voice scripts: These are used to trick the victim into providing login information or data over the phone. The notorious IRS phone scams are a good example of this.
- Execution: This step entails actually making the phone calls and logging the information gathered from them. In some locations, it may be legal to record the calls, but your team should always work with legal and human resources to determine if there are laws or corporate policies providing direction. This step may also include providing some immediate feedback to users, who may need to change passwords that are compromised, or addressing critical gaps in policy or process that leave the company at risk.
- Post-exercises: After your vishing exercises end, it is important to analyze results and put together a report, including recommendations on next steps. In most cases, this will also include updates to training or even supplementary training for some roles/users.
Do’s and Don’ts for Effective Vishing Exercises
No one likes to fail a test, especially a test they aren’t even aware they’re taking! Security teams have an opportunity to build goodwill and trust within the company, based on how they handle vishing exercises and the subsequent reporting. We all know we should never attribute failure to an individual, but some other caveats to keep in mind include:
- DO be aware of time constraints and deadlines within the business: You don’t want to derail the product team right before a major release or hit the finance team during an audit. While we all know adversaries do not care about timelines, we need to trust that our internal teams are being respectful.
- DON’T highlight failures: Instead, focus on increased reporting and encouraging secure behaviors. Employees will naturally want to fall into a group that is celebrated.
- DO include senior executives and their assistants in the vishing exercises: These roles are major targets for an adversary and must be just as aware of these tactics as others in the company.
- DON’T use personal phone numbers that you cannot find on social media or with a quick public search. Always honor the privacy of your employees.
- DO provide training in advance of any vishing exercises: As with all awareness training, your goal is not to “catch” or “fool” anyone, but rather to reinforce best practices to keep the company and employees safe.
- DON’T be one size fits all: Tailor follow-up training to the role. If the recruiting team showed signs of needing training, discuss common tactics and techniques that an adversary will use against recruiting teams. People are much more likely to listen and learn when the information is tailored.
- DO continuously train with anti-vishing programs set up in phases: Perhaps the first phase targets 10% of the company, then the second phase targets another 10%. This lets you exercise as much of the company as possible, while ensuring time for feedback in between.
- DON’T forget to talk to competitors in your vertical: Find out what they are doing. Information sharing is a fantastic way to gain situational awareness that will improve your company’s security posture.
Protect Your Business Against Vishing Attacks
Vishing is on the rise, and a successful vish can provide the adversary with a foothold into your company’s networks and access to your most critical data. To ensure your anti-vishing program is successful, pay close attention to:
- The anti-vishing program process: Creating effective anti-vishing programs includes multiple steps, from reconnaissance to lessons learned and reporting. Each must be allocated enough time and resources.
- Vishing exercise best practices: Keep the event positive by being respectful of team deadlines and activities, reinforcing positive results (i.e., what percentage of people report a vish), and tailoring training to individual departments/roles.
- Continuous training: Build the company’s muscle memory through a continuous cycle of vishing education, training, exercising and reporting.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.