Actionable Insights for CISOs
1. Social engineering now represents your highest-probability breach vector:
Even smart, security-aware people fall for voice scams based on authority, escalation, and procedural realism. Prioritize advanced social-engineering simulations that involve multiple actors, "supervisors," and case numbers. Train for recognition of behaviors, not keywords.
2. Shift user education to emotional triggers, not technical cues:
People get compromised when fear, urgency, or authority spikes their emotions. Train your employees to pause when something feels urgent, intimidating, or overly formal. In this way, "emotional awareness" will become a requirement in phishing and fraud training.
3. Impose a strict rule: do not trust any inbound calls for verification:
If someone calls an employee—even a supposed bank, vendor, or internal team—they should never authenticate themselves. Provide an internal, rapid verification hotline or workflow employees can use to confirm any caller in less than 30 seconds.
4. Develop omnichannel fraud detection over the voice, SMS, and email channels:
Attackers are blending channels to build perceived legitimacy. Correlate caller-ID reputation, SIM-swap intelligence, and cross-channel anomaly detection so your SOC has the complete picture. Voice fraud is not an external problem to be outsourced-it's part of your cyber program.
5. Introduce friction for critical financial transactions. Scammers push victims into urgent money movement:
Set mandatory out-of-band approvals for high-value transfers, enforce delay windows for new beneficiaries, and apply behavioral biometrics to detect unusual user patterns. Push for "friction where it matters."
About Author:
Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of over one dozen books—including his latest, A Hacker’s Mind—as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation and AccessNow; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.
Longtime Crypto-Gram readers know that I collect personal experiences of people being scammed. Here’s an almost:
Then he added, “Here at Chase, we’ll never ask for your personal information or passwords.” On the contrary, he gave me more information—two “cancellation codes” and a long case number with four letters and 10 digits.
That’s when he offered to transfer me to his supervisor. That simple phrase, familiar from countless customer-service calls, draped a cloak of corporate competence over this unfolding drama. His supervisor. I mean, would a scammer have a supervisor?
The line went mute for a few seconds, and a second man greeted me with a voice of authority. “My name is Mike Wallace,” he said, and asked for my case number from the first guy. I dutifully read it back to him.
“Yes, yes, I see,” the man said, as if looking at a screen. He explained the situation—new account, Zelle transfers, Texas—and suggested we reverse the attempted withdrawal.
I’m not proud to report that by now, he had my full attention, and I was ready to proceed with whatever plan he had in mind.
It happens to smart people who know better. It could happen to you.
By Anton Chuvakin (Office of the CISO, Google Cloud)
Original Link to the Blog: Click Here
Join CISO Platform and become part of a global network of 40,000+ security leaders.
Sign up now: CISO Platform
Comments