“Who’s calling?”: Elevating vishing awareness with a simulation

6 minutes reading

When it comes to protecting your organization from modern cybersecurity threats, education is your first line of defense. However, conventional cybersecurity seminars and mass-distributed educational emails often fail to communicate your message to the employees effectively. Consider simulation-based training to elevate the training experience to a more engaging level.

No matter how robust your software defenses are, they cannot prevent a determined attacker from exploiting human psychology to gain unauthorized access. Recognizing this, savvy businesses are taking proactive measures to prepare their employees to face social engineering techniques.

One of the methods they can use is conducting a simulation exercise. In a previous article, we proposed a test including a QR code. This time, let’s look at a real-time test that proves just how ready your team might be to face voice phishing attacks.

What is vishing?

Vishing, short for "voice phishing," is a cunning technique that involves an attacker manipulating individuals into divulging sensitive information or transferring money over a phone call. Unlike traditional email-based phishing, vishing exploits the immediacy and personal nature of voice communication.

The results of a real-life example

The resistance to vishing was tested on employees of an unnamed technological company.

During the test, the employees encountered an attacker assuming three distinct roles:

  • Finance department support: In this scenario, the attacker posed as a finance department support agent, insisting on the confirmation of personal data sent via email. To access the supposedly critical file, login credentials were required.
  • External auditor: The attacker masqueraded as a representative from a fake auditing firm, requesting administrators to complete an online form. However, access to the form hinged on providing their credentials.
  • Colleague on leave: In the third scenario, the attacker pretended to be a fellow employee without computer access, seeking urgent assistance. Resolving the issue entailed logging into an external application.

Remarkably, the subjects of this test held their ground and effectively repelled the attacker's advances. None of them fell victim to the vishing attempts. This underscores the importance of continuous cybersecurity education, as these are employees of a company with a robust cyber awareness program, including regular training in various forms.

Confronted with a potentially questionable situation, they adeptly recalled and applied the preventive principles they had previously acquired, thereby shielding their company from the potential ramifications of a social engineering attack.

Anti-vishing practices: How to avoid becoming a victim?

1. Be aware of the potential dangers

Be vigilant whenever you receive an unexpected phone call from any "authority," for example, a bank, government institution, or technical support. Even though the caller might be who they claim to be, it is always good to know the potential risks and to proceed with caution. 

2. Validate the caller’s identity

The employees who participated in the simulation above always tried to validate the caller's identity – and you should follow their example. When receiving a suspicious call, request the caller’s full name, contact details, and organization information. Don't hesitate to cross-reference this data with official sources, such as your organization's website or prior communication.

3. Ask challenging questions

Baffle potential attackers by posing questions they can't readily answer. Depending on the context, inquire about previous interactions, supervisors, or common acquaintances. Diving deeper into the conversation can expose inconsistencies and reveal their true nature.

4. Beware of urgent requests

Vishing attackers often imply urgency to sway their targets. Stay vigilant and scrutinize any request that pressures you to act quickly. Don't allow yourself to be cornered into making hasty decisions.

5. Verify and report

When in doubt, terminate the call and independently contact the institution's official representative. Reporting suspicious calls is crucial, as it contributes to collective cybersecurity efforts.

6. Educate and foster cyber awareness

Share these insights across your organization. Anyone can become the target of a vishing attack. Create a culture of cyber awareness and instill the importance of skepticism.

6 steps for a successful vishing simulation test

By conducting vishing simulations, you effectively empower your team to recognize and resist vishing threats. The aim isn't to finger-point or to punish the employees who stumble, but to enhance their cyber awareness. Treat each simulation as an opportunity to confidently prepare your colleagues to confront and repel social engineering tactics.

Step 1: Define the objectives and scope

Start by establishing clear objectives for the vishing simulation. Are you aiming to assess employees' response to suspicious phone calls or evaluate the effectiveness of your organization's security training program? Determine the scope of the simulation, including the departments, employees, or specific roles you intend to target.

Step 2: Gain approval from management

Explain the purpose, benefits, and potential outcomes of the vishing exercise to your company’s management. Address any concerns and highlight how this proactive approach can help identify vulnerabilities and reduce the risk of real-world security breaches.

Step 3: Develop scenarios

Craft realistic vishing scenarios that mimic potential threats your employees may encounter. Consider scenarios involving callers posing as IT support technicians, service providers, or even internal personnel seeking sensitive information. Develop a convincing and plausible script, ensuring it contains red flags typical of vishing attempts, such as urgency, intimidation, and requests for confidential data.

Step 4: Inform and train the employees

Prior to testing the employees, remind them about the importance of cybersecurity awareness and encourage them to follow established protocols when dealing with suspicious calls. Conduct refresher training sessions if necessary.

Step 5: Evaluate the results

After the simulation, gather and analyze the collected data. Identify trends, patterns, and areas of improvement. Organize a debriefing session with participants, discussing the simulation's purpose, outcomes, and lessons learned. Provide constructive feedback and use real-world examples to emphasize the significance of detecting a vishing attack.

Step 6: Continuously improve

Use the insights gained from the vishing simulation to refine your company's security training programs, policies, and procedures. Consider conducting regular similar simulations to maintain a high level of employee preparedness and adaptability to emerging threats.

Are you ready to put your team's defenses to the test? With the right preparation, a vishing simulation can strengthen your company’s cybersecurity posture.