PROTECT & OPTIMIZE THE VOICE CHANNEL

Understanding Voice Threats
is smart business.

Voice-Based Attacks are a critical problem.

Numbers & Metrics

Enterprises have dedicated the lion’s share of their resources protecting and defending their traditional technical infrastructure, including end-points, the data network, email, applications, cloud, storage and the data center. This time, money, people and focus have left Voice largely un-protected.

The bad guys know that Voice is not being protected, and our indicators tell the story…

MFA IS NOT ENOUGH

%

89% of security professionals think MFA is enough protection against account takeover

Source: Proofpoint 2024 State of the Phish

USERS EXPOSE THEMSELVES TO SOCIAL ENGINEERING

%

58% of working adults admit to actions that expose them to common social engineering tactics

Source: Proofpoint 2024 State of the Phish

robocalls in feb ‘23

%

81% of U.S. organizations experienced a TOAD (Telephone-Oriented Attack Deliver) attack in 2023

Source: Proofpoint 2024 State of the Phish

ENTERPRISES LACK PROTECTION

%

76% of enterprises lack sufficient voice and messaging fraud protection post ChatGPT

Source: ENEA

HUMAN ERROR CAUSES BREACHES

%

95% of data breaches due to human error

Source: IBM Security Report

AVG COST OF BREACH

$9.48M

$9.48 million: average cost of data breach in US (2023)

Source: statista

INCREASE IN PHONE-BASED ATTACKS

%

1,265% increase in phone-based attacks since advent of ChatGPT (post-GenAI)

Source: Help Net Security

cost to MGM from cyber breach

$100M

cost to MGM from cyber breach

Source: Securities and Exchange Commission Form 8-K Filing (10/5/23)

fraudulent callers successfully authenticate

%

30% of fraudulent callers successfully authenticate themselves using knowledge-based authentication

Source: Call Center Fraud/Fraud.net

IDENTITY RECORDS BREACHED

8B

8 billion identity records have been breached

Source: Call Center Fraud/Fraud.net

Annual revenue of cybercriminals

$1.5T

Annual revenue of cybercriminals

Source: Atlas VPN

CYBER ATTACKS REPORTED BY FINANCIAL COS.

703 PER WEEK

The average # of cyberattacks reported by financial institutions

Source: Check Point Research (CPR) (2021)

UNWANTED CALLS IMPACTING BUSINESS

%

100% of people we surveyed are negatively impacted by Unwanted Voice Traffic (phone calls).

Source: MUTARE VOICE THREAT SURVEY – 2023

time to elevate Voice as a Threat VectoR

%

85% believe it is time to elevate Voice as a Threat Vector.

Source: MUTARE VOICE THREAT SURVEY – 2023

WE NO LONGER ANSWER OUR BUSINESS PHONE

%

25% of business people no longer answer their business phone.

Source: MUTARE VOICE THREAT SURVEY – 2023

VOICE TELEMETRY COULD HELP

%

90% believe it is time to include Voice Telemetry in their threat defense & response program

Source: MUTARE VOICE THREAT SURVEY – 2023

Definitions: Voice Attack Types

Callback Vishing

Nefarious

This is a hybrid, response-based callback phishing/vishing campaign that starts with an email blast to a targeted group with an urgent message that appears to be from a trusted source. The email includes a call-back number that, if used, connects the victim to an adversary’s co-conspirator call center agent trained to extract sensitive information from their victims. While employees have learned not to click on unfamiliar email links, and many know not to respond to requests from unsolicited callers, this scheme works because the target feels safer if the link is a phone number, not a webpage, and they are making, rather than receiving, the phone call.

GenAI-Based Attack

Nefarious

In this scenario, the criminal visher targets a specific internal group or demographic, usually starting with a robocall campaign carrying a pre-recorded message that has been AI-generated to match the voice of a trusted superior or colleague with an action request. Those that respond may be further targeted.

This use of voice cloning (deep fake) technology is becoming more prevalent as user-friendly Generative AI applications are now readily accessible to the general public or sold in bootleg form through the Dark Web. The familiar voice not only gives the call greater credibility, but it may also evade detection by fraud prevention applications that depend on voice biometrics (analysis of audio qualities) to separate known callers from potential scammers.

The continued advancement of GenAI technology gives rise to a whole new level of deep fake-enabled threats, including the capability for live vishing callers to transform their voice in real time to that of a trusted colleague or superior in order to convincingly engage and manipulate the call recipient.

Hybrid Phishing + Vishing

Nefarious

This is a two-pronged spear-vishing approach using email and related live phone calls with duplicate messaging so victims are more likely to trust its legitimacy and level of urgency. The adversary, often working with a teammate, delivers an email to targeted employees with enough personal information to lend it credibility, and then follows that with an immediate phone call delivering the same message. An employee may be suspicious of one approach or the other, but when in combination, they provide a greater sense of legitimacy. Again, if a voice connection is made, the skilled criminal visher uses social engineering techniques to coerce the employee into divulging sensitive information and/or providing access to internal systems and data.

Neighbor / Enterprise Spoofing

Nefarious

These are two related types of illicit robocall campaigns using a spoofed (digitally altered) caller ID or Caller Name (CNAM) specifically modified to resemble a source familiar to the call recipient. The number or CNAM may be manipulated to resemble a familiar area code or business prefix number (Neighbor Spoofing”). In this case, the recorded message might impersonate an internal source, such as a member of technical support or human resources and request a call-back about a supposed issue that needs immediate resolution. The adversary can also modify the Caller Name (CNAM) to reflect an organization or agency familiar with the call recipient (Enterprise Spoofing) with a message requesting immediate call-back due to an urgent matter with, for instance, a corporate account, tax matter or legal issue. In either case, the criminal agent fielding any call-backs would then follow a script designed to extract personal information or login credentials.

Robocalls

NUISANCE / NEFARIOUS

Robocalls are auto-generated calls carrying a pre-recorded message. Appointment reminders, flight cancellations, and other informational calls are legitimate forms of robocalls. However, illegitimate players are leveraging Voice over Internet (VoIP) technology to generate thousands of robocalls to random numbers from an auto dialer using a spoofed (digitally altered) Caller ID. Their messaging, at best, is intended to elicit a purchase but, in growing numbers, is designed to lure the call recipient into a scam.

Social Engineering

NEFARIOUS

An attack on a targeted individual from a live caller impersonating a trusted source. The threat agent uses personal information about their victim to boost credibility, then applies psychological manipulation to trick them into divulging protected information.

Vishing calls can also be perpetrated by an individual targeting specific employees that they have identified as particularly valuable conduits to internal systems or data. In these cases, the adversary, posing as a trusted internal source (technical support, human resources, upper management), has already armed him/herself with information about the targeted employee harvested from public sources, social media accounts, or purchased on the Dark Web, in order to establish credibility. They are skilled at impersonation and psychological manipulation (known as “social engineering”). Customer service and contact center employees are a favored target of these scammers, due to their mandate to answer calls and “need to help” mindset. New employees are also at risk as they are less familiar with organizational norms and players, and may be more deferential to a perceived superior. Remote workers, too, are attractive targets due to their physical isolation both from officemates and the protective barriers of corporate office firewalls.

Spear Vishing

NEFARIOUS

This term applies to a live call from a criminal impostor targeting a specific individual. The adversary is armed with personal information, not only about their target, but also about the person they are impersonating, to support the deception. A common example involves the attacker posing as IT technical support who tricks the victim into logging into a fake VPN page. Once the employee had logged in with their credentials, the adversary managing the fake page steals those credentials, logs into the actual corporate VPN, and either downloads as much internal data as possible or inserts network-destroying malware as part of a ransomware attack. Occurrences of this attack type have accelerated in response to the rise of a post-covid, remote workforce that depends on VPN access to company networks. New employees who have little familiarity with their colleagues and who may be predisposed to comply with requests from superiors are particularly vulnerable to this type of attack.

Spoof Calls

NEFARIOUS

A spoofed call carries a Caller ID that has been digitally altered to mask the actual source of the call. While sometimes used for legitimate purposes to protect the privacy of the caller, more often spoofed numbers are used by criminal impostors as part of their deceptions. In recent years the FCC has adopted a set of protocols know as STIR/SHAKEN designed to eliminate illicit robocalls using spoofed numbers, but cybercriminals continue to circumvent enforcement measures and the practice of illegal spoofing is still widespread.

Vishing

NEFARIOUS

Vishing (Voice Phishing) is a cyberattack technique used to extract sensitive or protected information from targeted victims through voice calls. The attacker(s) utilize a combination of social engineering tactics, spoofed (digitally altered) caller IDs, and personal information gained through public sources, social media, or harvested from prior data breaches, to support their impersonation and then manipulate the call recipient into a false sense of trust. When perpetrated on an employee or contact center agent (who may be particularly vulnerable when in a helpdesk, customer support, tech support, or accounts management position), the damage could be catastrophic when resulting in a breach with related loss of proprietary information, compromised customer personal identifying information (PII), hijacked accounts, financial theft, extortion, public relations fallout, and regulatory fines and/or class action litigation. Vishing attacks may target specific, high-value individuals or be part of a broader campaign of reconnaissance calling with the objective of finding, and compromising, any employee who takes the call.

Voice Spam

NUISANCE / NEFARIOUS

Vishing (Voice Phishing) is a cyberattack technique used to extract sensitive or protected information from targeted victims through voice calls. The attacker(s) utilize a combination of social engineering tactics, spoofed (digitally altered) caller IDs, and personal information gained through public sources, social media, or harvested from prior data breaches, to support their impersonation and then manipulate the call recipient into a false sense of trust. When perpetrated on an employee or contact center agent (who may be particularly vulnerable when in a helpdesk, customer support, tech support, or accounts management position), the damage could be catastrophic when resulting in a breach with related loss of proprietary information, compromised customer personal identifying information (PII), hijacked accounts, financial theft, extortion, public relations fallout, and regulatory fines and/or class action litigation. Vishing attacks may target specific, high-value individuals or be part of a broader campaign of reconnaissance calling with the objective of finding, and compromising, any employee who takes the call.

Voice Spam Storms

NEFARIOUS

A sudden influx of auto-generated scam robocalls targeting a specific population or, in the enterprise, a range of internal numbers (DIDs) with the intent to commit fraud, disrupt normal communications, or as part of a call center toll-fraud scheme.

Wardialing

NEFARIOUS

In this basic, automated vishing approach, the adversary, using a spoofed (digitally altered) Caller ID, delivers an urgent, pre-recorded message via auto-dialer to specific area codes or sequential numbers within the organization’s exchange range. The message appears to be from a trusted source such as a bank or government agency and includes a call-back phone number. If the recipient calls that phone number, they will be connected to a criminal call center agent. That co-conspirator, in turn, follows a script used to trick the caller into divulging protected information such as system credentials, or user information, or to take actions such as transferring funds to a fraudulent, criminal account.