Vishing

What You'll Learn in Vishing

• Recognize caller ID spoofing and understand why displayed phone numbers cannot be trusted as identity verification
• Apply callback verification using official company directories rather than phone numbers provided by the caller
• Identify the conversational pressure tactics vishers use, including escalating urgency, authority claims, and technical jargon
• Refuse to share credentials, MFA codes, or authorize remote access during inbound calls, regardless of the stated justification
• Distinguish between assertive identity verification and confrontational behavior to maintain professionalism during suspicious calls

Vishing Training Steps

1. Introduction

   This training simulates a real-world vishing attack where an attacker uses an AI-generated voice filter to impersonate a trusted colleague. Alice works at Nexlify Solutions and is currently leading a high-profile project for one of their major clients, SecureTech Corp. It's a busy Tuesday afternoon when her phone rings. The caller ID shows 'Mike Stevens - Ext. 4247'. Alice knows Mike; he's a really friendly guy from the Infrastructure team. Alice recognizes this as Mike's usual number and answers the call promptly.

2. The Unexpected Call

   Unbeknownst to Alice, Bob has been researching Nexlify Solutions and their client SecureTech for weeks. He gathered information about the company structure, employee names, and internal systems through social media profiles, LinkedIn, and the company website. Bob has also obtained recordings of Mike's voice from publicly available conference presentations and company webinars. Using advanced AI voice cloning software, he has created a convincing replica of Mike's voice and spoofed the caller ID to display Mike's internal extension.

3. The Convincing Introduction

   The voice on the phone sounds exactly like Mike - same tone, speech patterns, and even his characteristic slight Boston accent. All thanks to GenAI technologies and a big dataset of Mike's public talk recordings.

4. Creating Urgency

   Bob establishes urgency and authority by mentioning a sick colleague and an important client meeting.

5. The Information Request

   Alice begins to feel the pressure of the urgent situation and wants to help a colleague in need.

6. Opening the Files

   Alice opens up the company portal and tries to access sensitive data.

7. Sharing Sensitive Information

   Alice begins reading the sensitive information over the phone. This is strictly prohibited by company rules, but the request seems urgent and Mike does not have access to company resources due to a VPN issue.

8. A Huge Mistake

   Alice has now shared highly confidential NDA-protected information including proprietary encryption details, disaster recovery locations, and internal security protocols.

9. The Suspicious Email

   Bob sees that his attack is successful and tries to escalate by sending Alice a phishing email.

10. Shady Email Arrives

    Alice receives an email that appears to be from Mike Thompson.