Protecting Employees (and Business Costs) from Voice Phishing
By Rich Quattrocchi, Vice President of Digital Transformation, Mutare
Should employees get fired for making costly mistakes that lead to data breaches by giving up access to protected information through a voice or text phishing attack?
This is a complicated question made even more problematic by the tight labor market and the current high rate of employee turnover. It is far easier to retain a well-trained employee than to attract, train, and retain a new hire. For some industries, this means the goalposts are moving with respect to employee sanctions and warnings versus outright dismissals.
Dismissal is clearly warranted when some very clear redlines are crossed. For example, deliberate complicity in the security breach or fraud should trigger an immediate dismissal with prejudice. Organized crime is getting very good at recruiting insider employees to give up credentials or other information for money. The “fraud triangle” has been around for as long as business has had employees, but in the digital age it is now easy to use cryptocurrency to anonymously recruit an insider with opportunity and pressure to become complicit in the act.
On the other end of the spectrum is the innocent mistake in which an employee is simply outmatched by the fraudster who possesses greater skill, knowledge, and resources. The scammer’s threat capabilities completely overwhelm the resistance of the employee on the other end of the call. In this instance, a warning and likely re-training are warranted.
Employee training today is focused on preventing bogus email attacks that most employees would never fall for by clicking on a malicious link. Yet those same employees are far more likely to give up credentials over the phone to a person they believe to be security personnel insisting the information is essential to stopping a breach in progress.
This problem is further exacerbated by the sheer number of collaboration applications in use for both internal and external communications. Your company may use Cisco WebEx internally for video conferencing and have it completely locked down. But once you need to make an external call or receive an external call, the threat surface widens.
Let’s say you are an account executive, and you have five calls scheduled for the day. One of your calls was scheduled using your company’s sanctioned application, but the other four calls were scheduled by your customers, with one on Microsoft Teams, another on Zoom, and two that are direct calls to your personal cell phone.
Distraction is the other wild card in play here, be it a digital distraction such as a text message on your unsecured device, or a human distraction such as your four-year-old son attempting to pull down a jar of treats he asked for 15 minutes ago while you were in the middle of a call. Those distractions can open a window of opportunity for mistakes which often result in a security lapse such as a critical database login you left unattended just long enough for a breach to occur.
Guarding Against Enterprise Vishing and Robocall Attacks
Employees working from home now expect and demand that their business devices and applications are as frictionless to use as their personal tech. For companies that don’t get this message, it is all too common for employees to give up on enterprise supplied items and just use their own.
Who hasn’t texted their boss on their personal phone? It happens all the time, but the moment you engage in communication on a personal device off a locked down VPN using an unsanctioned app, you step into a highly vulnerable threat landscape that dramatically improves the threat capabilities of bad actors targeting your enterprise.
There are numerous issues involved with securing voice networks, but the top four priorities should be to lock down your networks, devices, applications, and distracted employees. Businesses have several ways to protect their employees from making serious security mistakes when it comes to social engineering scams like vishing attacks and robocalls on their phones:
- Implement automated technical security controls that identify nefarious and nuisance callers and disconnect the call without ever ringing the employee’s phone. The reduction in contact frequency by nefarious callers will greatly reduce the odds of serious security breaches like the widespread attacks that hobbled Robinhood and Twitter.
- Training employees is essential. We live in a world where companies must strike a balance between delivering a great user experience and a secure user experience. The pressure on contact center agents and others involved in customer service to deliver “single call resolution” and meet call quotas creates a perfect opportunity for vishing scams. That pressure gives bad actors the upper hand to manipulate employees into revealing information they might not otherwise provide in the absence of distractions and time constraints. Training and coaching by the company – along with reasonable distraction controls and call quotas – can go a long way toward helping employees identify a scam in process and foil it before it turns into a breach or loss event for the company.
- Lastly, companies should include vishing in their security penetration testing, both for their automated technical security controls and for their people to find and plug vulnerabilities before loss events happen.
Too many business and IT leaders overlook the growing sophistication of these threats to their unprotected voice networks. Threat capability, probability of action, and contact frequency are constantly evolving, creating a frustrating game of whack-a-mole. As soon as a scam or vulnerability is discovered and patched, a new threat arrives.
Companies eagerly invest millions in security firewalls, antivirus protection, penetration testing, employee training, and spam filters, yet for some reason their telephone networks remain wide open. Anyone can complete a call with a spoofed number to your company. A threat actor with a slick story can easily take advantage of a distracted employee. We see it happen every day. That’s why enterprises need to put strong protections in place to block such unwanted call traffic from penetrating their voice networks.