More than a third of organizations said they don't track the amount of voice traffic, which could potentially be malicious voice phishing, according to a Mutare report. (Photo by Sean Gallup/Getty Images)

Mutare on Wednesday released a report finding that 47% of organizations experienced a voice phishing (vishing) or social engineering attack in the past year.

Even more troubling, most organization are unaware of the volume of unwanted voice traffic traversing their networks, or the significance of threats lurking in unwanted traffic, which includes robocalls, spoof and spam calls, spam storms, vishing, smishing, and social engineering.

The survey also found that in all industries, 9% of all calls received by businesses are unwanted.  Moreover, 45% of all unwanted traffic is tied to nefarious activity, while the survey ties 55% to nuisance activity. Amazingly, more than one-third (38%) say their organizations do not collect any data on the amount of inbound, unwanted, and potentially malicious voice traffic hitting their organizations.

The main reason that phishing scams are so convincing is that they often mimic the look of a brand or a credible person down to a very fine detail, said Ryan McCurdy, vice president of marketing at Bolster, Inc. McCurdy said to make matters worse, they prey on human action bias, with a call-to-action stating that attention must be taken right now.

“The same tactics are used in smishing campaigns as in phishing campaigns,” McCurdy said.

McCurdy said there are certain techniques to look for to determine that the text is a scam:

  • Smishing messages are often sent from an email address or web-based service which results in the sender’s phone number displaying as a shortened phone number also known as a short code.
  • Legitimate companies will never request confidential information via text message. Always go directly to the website to log in. Suspicious of a link that came in? Use a free phishing site scanner like www.checkphish.ai.

 Patrick Harr, chief executive officer at SlashNext, said social engineering phishing scams are still a serious problem for organizations, and they are moving to SMS, collaboration tools, and social. Harr said his team has seen an increase in requests for SMS and messaging protection as business text compromise, like its cousin business email compromise, is becoming a growing problem for an organization to detect and block.

“The No. 1 point of concern that we heard for security professionals at RSA this year was mobile threats and protecting mobile BYOD,” Harr said. “We heard consistently that smishing, vishing and business text compromise were the biggest areas of most concern and least protected part of their security stack. It’s particularly challenging to protect mobile BYOD because of privacy concerns.”

Hank Schless, senior manager, security solutions at Lookout, added that in the same way attackers moved their focus from phishing individuals through email to more personal channels like social media, we’re seeing a recent increase in voice phishing and QR code phishing. Schless said there could also be broader use of deepfake technology to impersonate an individual's voice or face in order to make the malicious communication even more convincing. 

“Regardless of how these attacks evolve, organizations will always need to protect their employees and their data — regardless of where they’re working, what devices they’re using, and how they access data,” said Schless. “When it comes down to it, it will always be about protecting the data.”