Phone calls from fake IT specialists, security engineers or “Microsoft partners” are not just a new trick. It is a sophisticated social engineering tactic that finds its way into well-protected corporate systems.
Vishing: the voice of attack that bypasses technical barriers
Cyber threats are constantly evolving. In addition to phishing or malware, so-called vishing attacks – fraudulent phone calls aimed at gaining access to sensitive information or systems – are coming to the fore.
Typically, the attacker introduces himself as a representative of the IT department, a cloud provider or a security consultant. They create a sense of urgency (“Your device has been compromised, we need to verify access immediately”) and use a convincing demeanor to get the user to provide login credentials or install a remote access tool.
How to defend against this type of attack?
The security strategy of today’s organisations is naturally focused on multiple levels – and rightly so. But precisely because attackers are changing tactics, it’s critical that defense mechanisms shift with them.
And this is where Zero Trust approachthat fundamentally changes the way organisations think about trust within their own IT infrastructure.
How does Zero Trust help against social engineering?
Zero Trust doesn’t say “trust no one”. It says, “Verify everything, always, and in context.”
The phishing attack itself may not be technically advanced – but the consequences can be devastating if an attacker gains access to the system. The Zero Trust approach greatly reduces the likelihood that such an attack would lead to a successful penetration. How?
Contextual authentication
If someone logs in from another device, location or at an unusual time, the Zero Trust system will assess this as risky behaviour. Even a correctly entered password may not automatically mean access.
Segmentation of access
The user, even if they appear to be authenticated, only gets access to what they actually need to do their job – not the entire network or sensitive data. This limits the attacker’s options if he does get the login credentials.
Continuous Behavioral Assessment (UEBA)
Zero Trust systems can detect unusual user behaviour – such as sudden downloads of large amounts of data, access to administrative functions, or interaction with non-standard applications.
Emphasis on multi-factor authentication (MFA)
Even if the attacker convinces the victim to give him or her the password, without a second factor (such as biometrics or an app on the phone), the attacker will get nowhere.
A new wave of threats requires a new approach
The human factor remains the biggest challenge in security. And the attackers know it. That’s why they attack precisely where decisions are made under stress, pressure or ignorance – typically during an unexpected phone call that appears to be “business as usual”.
Companies today have the opportunity to respond proactively. The combination of trusted training, anomaly-detecting technologies and a “zero implicit trust” strategy greatly increases resilience to these scenarios.
Can vishing bypass your security measures?
It’s not just a question of whether you have phishing protection in place. More importantly, it’s how quickly you can detect and stop behaviour that doesn’t fit with normal operations.
For example, the service SecuRadarbased on Zero Trust principles, monitors what’s happening in Microsoft 365, Entra ID, Defender for Endpoint and other systems in real time. It assesses whether a user is acting in line with their normal behaviour – and alerts them if they are not. Fast. Without the need for human intervention.
