Security training and awareness must focus on risk scenarios that include the human element. The 2017 Verizon’s Data Breach Digest found that 90 percent of data-loss incidents have a phishing or social engineering component. The cost of a data breach for both large and small to medium-size enterprises continues to rise. In addition to the financial loss there is also the reputational cost to consider. A recent PCIpay survey found that one-fifth of US consumers never return to breached brands and an RSA survey found that 62 percent blame the company first in the event of a data breach rather than the hacker.
Companies with authentication processes, firewalls, VPNs, and network monitoring software are still wide open to an attack if an employee unwittingly gives away key information. Security training and awareness the includes the human element is vital for enterprise survival. A simple social engineering attack, such as a phone call (vishing), can have devastating consequences.
Vishing – A Simple Yet Dangerous Social Engineering Attack Vector
Vishing, commonly known as voice phishing or phone elicitation, is quickly becoming one of the most dangerous social engineering attack vectors. Employees in customer service, sales, and HR departments are highly vulnerable to these types of attacks. Consider what happened to the Boulder Valley School District. In 2017, an attacker collected publicly available information regarding contracts between the school district and its contractor, Adolfson and Peterson Construction Company. Pretexting as an employee of the construction company, the attacker called the school district’s accounts payable department requesting that the school district change the way they pay the construction company. The accounts payable department complied and began sending payments to a fraudulent bank account the attacker had set up. The school district became aware of the theft when they started to receive late payment notices from the genuine Adolfson and Peterson Construction Company. The School District was conned out of $850,000 all due to a simple phone call. If this had been your company, how would you have fared? Are your employees trained to identity vishing attacks?
Training and Awareness Are Vital
An investment in security education, training, and awareness is vital for enterprise survival. Simulated vishing attacks are an effective way to access your enterprise. With over 20,000 vishing calls made over the last three years, Social-Engineer, LLC analyzed the data and pinpointed clear weak points in a corporation’s security. This year, at DerbyCon 8.0, Chris Hadnagy, CEO of Social-Engineer, LLC and Cat Murdock, a pen tester for the company, presented their findings. Three key takeaways from their analysis are:
- Vishing calls are more successful in the afternoon.
- Friday is the most vulnerable day for employees.
- HR open enrollment (for US-based clients) is the most successful pretext.
The value of simulated vishing is clear. With just those three takeaways an enterprise has actionable information to implement security improvements. As noted by Chris Hadnagy at DerbyCon, “your team will be more vulnerable on Friday.” Vishing as a Service (VaaS), such as provided by Social-Engineer, LLC , can provide help in these 4 specific ways:
- Simulated attacks are an effective way to assess vulnerabilities.
- Extensive reporting provides actionable data about employee responses to various vishing attack scenarios.
- Identify which departments or employees are most susceptible.
- Based on results from vishing assessment, develop a continuous assessment and training process to successfully combat vishing attacks.
Creating a culture of security must be a core value for any enterprise. With just one phone call, an enterprise can suffer devastating consequences. Invest in and implement security training and awareness that is multi-layered. Do not overlook the human element. Teach employees how to identify and respond to vishing threats.
Data breaches will happen. However, the risk and cost to your enterprise can be mitigated through effective security training and awareness that includes the human element.