When it comes to protecting your organisation from modern cybersecurity threats, education is your first line of defence. However, conventional cybersecurity seminars and mass-distributed educational emails often fail to communicate your message to the employees effectively. Consider simulation-based training to elevate the training experience to a more engaging level.
No matter how robust your software defences are, they cannot prevent a determined attacker from exploiting human psychology to gain unauthorised access. Recognising this, savvy businesses are taking proactive measures to prepare their employees to face social engineering techniques.
One of the methods they can use is conducting a simulation exercise. In a previous article, we proposed a test including a QR code. This time, let’s look at a real-time test that proves just how ready your team might be to face voice phishing attacks.
What is vishing? Vishing, short for "voice phishing," is a cunning technique that involves an attacker manipulating individuals into divulging sensitive information or transferring money over a phone call. Unlike traditional email-based phishing, vishing exploits the immediacy and personal nature of voice communication. |
The results of a real-life example
The resistance to vishing was tested on employees of an unnamed technological company.
During the test, the employees encountered an attacker assuming three distinct roles:
- Finance department support: In this scenario, the attacker posed as a finance department support agent, insisting on the confirmation of personal data sent via email. To access the supposedly critical file, login credentials were required.
- External auditor: The attacker masqueraded as a representative from a fake auditing firm, requesting administrators to complete an online form. However, access to the form hinged on providing their credentials.
- Colleague on leave: In the third scenario, the attacker pretended to be a fellow employee without computer access, seeking urgent assistance. Resolving the issue entailed logging into an external application.
Remarkably, the subjects of this test held their ground and effectively repelled the attacker's advances. None of them fell victim to the vishing attempts. This underscores the importance of continuous cybersecurity education, as these are employees of a company with a robust cyber awareness program, including regular training in various forms.
Confronted with a potentially questionable situation, they adeptly recalled and applied the preventive principles they had previously acquired, thereby shielding their company from the potential ramifications of a social engineering attack.
Anti-vishing practices: How to avoid becoming a victim?
1. Be aware of the potential dangers
Be vigilant whenever you receive an unexpected phone call from any "authority," for example, a bank, government institution, or technical support. Even though the caller might be who they claim to be, it is always good to know the potential risks and to proceed with caution.
2. Validate the caller’s identity
The employees who participated in the simulation above always tried to validate the identity of the caller – and you should follow their example. When receiving a suspicious call, request the caller’s full name, contact details, and organisation information. Don't hesitate to cross-reference this data with official sources, such as your organisation's website or prior communication.
3. Ask challenging questions
Baffle potential attackers by posing questions they can't readily answer. Depending on the context, inquire about previous interactions, supervisors, or common acquaintances. Diving deeper into the conversation can expose inconsistencies and reveal their true nature.
4. Beware of urgent requests
Vishing attackers often imply urgency to sway their targets. Stay vigilant and scrutinise any request that pressures you to act quickly. Don't allow yourself to be cornered into making hasty decisions.
5. Verify and report
When in doubt, terminate the call and independently contact the institution's official representative. Reporting suspicious calls is crucial, as it contributes to collective cybersecurity efforts.
6. Educate and foster cyber awareness
Share these insights across your organisation. Anyone can become the target of a vishing attack. Create a culture of cyber awareness and instil the importance of scepticism.
6 steps for a successful vishing simulation test
By conducting vishing simulations, you effectively empower your team to recognise and resist vishing threats. The aim isn't to finger-point or to punish the employees who stumble, but to enhance their cyber awareness. Treat each simulation as an opportunity to prepare your colleagues to confront and repel social engineering tactics confidently.
Step 1: Define the objectives and scope
Start by establishing clear objectives for the vishing simulation. Are you aiming to assess the response of employees to suspicious phone calls or evaluate the effectiveness of your organisation's security training program? Determine the scope of the simulation, including the departments, employees, or specific roles you intend to target.
Step 2: Gain approval from management
Explain the purpose, benefits, and potential outcomes of the vishing exercise to your company’s management. Address any concerns and highlight how this proactive approach can help identify vulnerabilities and reduce the risk of real-world security breaches.
Step 3: Develop scenarios
Craft realistic vishing scenarios that mimic potential threats your employees may encounter. Consider scenarios involving callers posing as IT support technicians, service providers, or even internal personnel seeking sensitive information. Develop a convincing and plausible script, ensuring it contains red flags typical of vishing attempts, such as urgency, intimidation, and requests for confidential data.
Step 4: Inform and train the employees
Prior to testing the employees, remind them about the importance of cybersecurity awareness and encourage them to follow established protocols when dealing with suspicious calls. Conduct refresher training sessions if necessary.
Step 5: Evaluate the results
After the simulation, gather and analyse the collected data. Identify trends, patterns, and areas of improvement. Organise a debriefing session with participants, discussing the simulation's purpose, outcomes, and lessons learned. Provide constructive feedback and use real-world examples to emphasise the significance of detecting a vishing attack.
Step 6: Continuously improve
Use the insights gained from the vishing simulation to refine your company's security training programs, policies, and procedures. Consider conducting regular similar simulations to maintain a high level of employee preparedness and adaptability to emerging threats.
Are you ready to put your team's defences to the test? With the right preparation, a vishing simulation can strengthen your company’s cybersecurity posture.