As phishing defences mature, attackers are pivoting. While email-based social engineering remains a well-known threat, vishing, and voice phishing, is rapidly emerging as a preferred tactic among cybercriminals. For insurers and brokers operating in the cyber market, understanding this evolution is critical to assessing exposure and supporting clients effectively.
Why Vishing Matters to the Insurance Market
According to NCC Group’s 2024 Threat Intelligence Report, the convergence of AI-driven phishing and deepfake voice impersonation is making social engineering attacks more scalable and harder to detect. Vishing exploits human trust and urgency, bypassing technical controls and targeting the weakest link: people.
Unlike email phishing, which is increasingly mitigated by spam filters and anomaly detection, vishing lacks systemic defences. Spoofing a phone number is trivial with VoIP and caller ID manipulation, making these attacks both convincing and difficult to trace. For companies, this represents a growing vector of loss—particularly in sectors with high-value targets or sensitive data.
How Vishing Works
Vishing involves attackers impersonating trusted individuals, IT support, HR, or even executives, to manipulate employees into disclosing credentials, multi-factor authentication, (MFA) tokens, or performing unauthorized actions. These attacks often leverage Open-Source Intelligence (OSINT) to sound credible, using data from LinkedIn, company websites, or prior breaches.
In many cases, vishing is used to bypass MFA, a control often relied upon in cyber risk assessments. Attackers may call employees while simultaneously sending malicious links or requesting one-time passcodes, creating a hybrid attack that blends voice and digital vectors.
Key Risk Indicators to be aware of
1. Policy and Procedure Maturity
- Are there clear protocols for verifying identity over the phone?
- Do employees understand escalation paths and lockout policies?
- Are verification methods robust or easily defeated by social engineering and OSINT?
2. OSINT Exposurey
- How much internal information is publicly accessible?
- Can attackers easily identify staff roles, email formats, or leadership names?
3. Simulation and Testing
- Has the organization conducted vishing simulations?
- Are employees trained to recognize and respond to voice-based threats?
Implications for Cyber Insurance
Vishing represents a human-centric threat that bypasses traditional technical safeguards. For insurers, this means:
- Increased claims risk from credential compromise, business email compromise (BEC), and fraud.
- Underwriting challenges in assessing human factor controls.
- Opportunities for value-added services, such as simulated vishing assessments or awareness training.
Final Thoughts: Train for the Human Risk
Cybersecurity is no longer just about firewalls and MFA. It’s about people, processes, and preparedness. Vishing attacks exploit trust, urgency, and confusion, factors that can’t be patched with software. And when policies aren’t clear or training is outdated, even your most security-aware employees can be caught off guard.
For regular insights into the latest Threat Intelligence join the regular pulse of webinars and reports from NCC.
Duncan is a seasoned Director of Information and Cyber Security with over 15 years of leadership experience across global consultancies, government, and critical infrastructure sectors. A Fellow of the Chartered Institute of Information Security (CIISec), Duncan has a proven track record in building and scaling cyber security services, leading high-performing teams, and delivering strategic initiatives across the UK and international markets. Duncan is currently leading NCC Group’s UK Technical Assurance Services division.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
