Voice phishing

Cybercriminals no longer break in using complex code; they simply ring the doorbell. Voice phishing, or vishing, often begins with a friendly and persuasive "good morning". It is personal, urgent, and frequently much more effective than the best phishing email. It sounds like a helpful colleague, but it can lead to a major data breach.

The recent data breach at Odido painfully demonstrated that every organisation is vulnerable when it comes to the human factor. The attack most likely began with email phishing, but it was a sophisticated vishing call (voice phishing) that clinched the deal. The attacker gained an employee's trust and managed to obtain the MFA code, resulting in unauthorised access to customer data.

As part of our Ransomware campaign, we challenge CISOs not just to manage this issue, but to truly 'champion' it. After all, a resilient organisation starts with employees who recognise manipulation before they grant the caller access to the network.

A vishing attack begins with online preparation. Public sources such as LinkedIn are used to gather phone numbers, managers' names, and project details. Using 'spoofing', the caller ensures a trusted internal number appears on the screen, providing an immediate sense of legitimacy. Once on the line, the attacker persuades by exploiting our natural reflexes:

• Authority: The name of the CISO, or another manager, is used as a lever. This subconsciously lowers an employee’s critical threshold: "If the CISO approves, it must be secure."
• Social Proof: The attacker suggests that 'many colleagues' have already been helped. This validates the behaviour and taps into the deep-seated social tendency to help a colleague out of a jam.
• Reciprocity: The attacker reports an urgent problem (for example, "a virus has been detected") and, in exchange for a few minutes of your time, your employee receives the 'solution' immediately.

Few software programmes are a match for a helpful voice on the line. Our benchmarks show that, on average, 4 in 10 employees (41%) follow the instructions of a vishing attacker. Whether it involves installing software or sharing login credentials, our willingness to help is the greatest security vulnerability.

Fortunately, resilience can be trained. In organisations where we conducted a baseline measurement, we saw the percentage of compliant employees drop drastically from 56% to just 11% following targeted awareness campaigns and realistic vishing simulations by Awareways.

In the world of ransomware, a single successful attack is enough to bring the entire network to a standstill. That 11% means the door is still ajar. Attackers' techniques are constantly evolving, and standing still is, in this context, quite literally a security risk.

A resilient culture is not built through rules alone, but through continuous repetition and practice. Discover how our platform helps your employees resolutely rebuff vishing attempts and turn behavioural change into a daily routine. Schedule an informal introductory meeting and receive a RANSOMWEAR scarf immediately, so you can truly 'wear' and champion your cyber-awareness.