By Roger Northrop, Chief Technology Officer at Mutare
Voice phishing (“vishing”) has emerged as a new and increasingly concerning security vulnerability for businesses. The tactic involves a criminal agent or agents posing as a trusted source in order to trick their victims into divulging passwords or other protected information over the phone. In the past year alone, vishing attacks on organizations have skyrocketed 550%.
Nearly everyone is aware of the dangers of email phishing, a common criminal tactic used to lure targets into a scam through fraudulent emails with malicious links. In fact, most enterprise email applications are now built with powerful spam-detection capabilities that recognize and block emails with suspicious links before they ever reach the employee.
But, when it comes to the common phone call, industry as a whole suffers from a biased assumption that the risk is negligible; that only the unsophisticated will fall prey to a scam. The reality is that the most neglected, yet vulnerable, channel within the business IT structure is the voice network. And, if left unaddressed, the perils of criminal intrusions through a vishing scheme can lead to significant loss of revenues, careers, reputations, shareholder value and more.
As with other forms of cybercrime, financial reward is the prime driver behind most vishing attacks, but there are several reasons why vishing is a particularly favored, effective technique used by cybercriminals.
Threat agents take cover in the anonymity of VoIP calling. The transition from analog calling to Voice over Internet Protocol (VoIP) has enabled criminal agents, using auto-dialers, pre-recorded messages, caller ID spoofing, generous VoIP bandwidth and cheap, untraceable overseas call centers, to reach thousands of intended victims with little effort, expenditure, or risk. What’s more, the number of threat actors has increased exponentially. The profile of a visher has evolved from a lone criminal agent to one who is likely part of an organized network of criminal enterprises, some even offering recruitment and training through illicit sites on the Dark Web. This makes it far easier for wannabe hackers to find a place in the underworld of cybercrime where they see a route to easy money at little personal risk.
It only takes one successful connection in a calling campaign to perpetrate a massive hack. According to Verizon’s 2022 Data Breach Investigations Report, roughly 82% of cybersecurity breaches are caused by human error. The average employee has a surprising level of access to internal files – in fact, an estimated 11 million if in the financial sector. So the chance of fallout from conning one vulnerable individual into divulging sensitive information can be substantial. Take the example of Cisco Systems. In July 2022, the network giant reported a breach initiated through a vishing attack. The threat actor, posing as a trusted support contact, made calls to multiple employees looking for a vulnerable victim and was eventually successful in convincing one to authenticate access to the organization’s VPN. From there, the adversary and criminal collaborators rifled through internal files, allegedly scraping 2.8 GB of data, part of which they released as proof of their feat. With quick remediation, Cisco claims minimal long-term damage outside of costly business disruptions. Others, like Twitter, were not so lucky. A successful vishing-initiated breach in 2020 wiped out $1.3 billion in Twitter market value in a single day. What’s more, organizations can never be sure that data stolen from one breach is not being used to perpetrate future fraud. Just this month, the email addresses of 235 million Twitter account holders turned up for sale on the Dark Web. Are these events connected? Very possibly.
The voice is a powerful and convincing way to manipulate other humans. Through the telephone, cybercriminals have 24 x 7 x 365 access to connect directly with their intended victims. And, unlike consumers, employees cannot simply ignore calls from unknown sources, which makes them particularly vulnerable to vishing schemes. As the old adage goes: The customer is always right. And accordingly, businesses have trained their customer service employees to present to callers an attitude of trust, to empathize, to fix and to do – all with customer satisfaction and retention in mind. On the phone, bad actors prey on that “can-do” behavior drilled into these support teams. Unlike email, phone fraud is harder to detect because the channel is opaque – only after the connection has been made is it clear which calls are legitimate and which are scams, and by then the damage is done.
Vishers now have broad and easy access to personal information about their targets. Thanks to digitalized public sources, unprotected social media accounts, and the vast repository of stolen data found on the Dark Web, vishers are now able to approach their victims armed with enough personal information to lend trust and credibility to their scheme. They are masters at deception and psychological manipulation and have proven over and over how convincing they can be with the right tools and data at their disposal.
Most organizations have no protections in place for their voice network. As recent events attest, the protection of enterprise voice networks warrants a security strategy tailored to its specific vulnerabilities. Nevertheless, the vast majority of corporate cybersecurity spending remains focused on the data network, and that is a mistake. Just ask Twitter, Twilio, Cisco and Robinhood, all highly sophisticated organizations that have fallen victim to recent vishing attacks.
So what is a business to do to halt unwanted voice traffic? Unfortunately, most of the guidance today, including from the FCC, is to simply not answer the phone from unknown callers. But, is that really good advice for a business enterprise? Not answering the phone can lead to degraded customer experience, missed sales opportunities or worse. Letting the phone go to voicemail isn’t a viable option for organizations that depend on voice calls to quickly solve problems, serve clients, and maintain customer relationships.
The solution starts with visibility, and that is delivered in the data. Every one of today’s enterprise Voice over Internet (VoIP) calls is packed with information that, with the right analytics tools, reveals a great deal about the call source and its legitimacy. Since launching its Voice Traffic Assessment program, Mutare has analyzed more than 128 million calls across a broad spectrum of industries and found that, in general, between 6% to 15% of those calls are clearly unwanted robocalls or spam. These calls are more than just a productivity-sapping annoyance, because embedded in that unwanted traffic is an estimated 45% of callers with malicious intent.
From a security standpoint, when organizations implement robust tools to block unwanted calls before they enter the network, they are also significantly lowering their potential exposure to cybercrime. It boils down to limiting exposure and preventing that initial access. The more fortified the voice network – through good practices and effective technologies – the safer employees, customers and businesses will be.
In his role as Chief Technology Officer, Roger Northrop is responsible for driving innovation through R&D activities in Mutare Labs, monitoring industry trends, and leveraging leading-edge and emerging technologies to launch solutions that modernize enterprise communication processes and protect the security of the customer IT environment. Roger serves as a technology ambassador and expert resource for customers and partners, and he ensures that the voice of the customer is incorporated into every stage of Mutare’s product development, continuous improvement and quality control processes.