In this article, we'll walk through how to get voice phishing activated on your CanIPhish tenant, how to verify employee phone numbers, and finally, how to create your first voice phishing campaign! Let's get into it.
Table of Contents:
- Step 1. How To Activate Voice Phishing
- Step 2. How To Verify Employee Phone Numbers
- Step 3. How To Create A Voice Phishing Campaign
- Frequently Asked Questions
Step 1. How To Activate Voice Phishing
Voice Phishing is not activated by default. It's only available to Enterprise Tier Subscribers. The activation process involves a few steps, which are outlined below.
Important Note: To comply with global spam and telecommunication regulations, Voice Phishing cannot be fully white-labelled (this is mainly relevant to MSPs who don't want their end-customer seeing the CanIPhish brand). See the FAQs at the bottom of this page for more information on this.
1.1. Start The Voice Phishing Activation Process
Once you have purchased an Enterprise Tier Subscription, an activation notification will appear at the top of the Voice Phishing page, which can be found under Phishing Content > Voice Phishing (https://caniphish.com/User/VoicePhishing).
1.2 Voice Phishing Activation Terms & Conditions
Once the Voice Phishing Activation Button is clicked, a terms & conditions pop-up will appear, which outlines key information you need to acknowledge about Voice Phishing, notably:
- Functionality Overview: You will be given a brief overview of how CanIPhish's Voice Phishing capability operates and the benefits it can provide.
- Subprocessor Statement: You will be notified that activating Voice Phishing will leverage two opt-in-only subprocessors necessary to deliver the service: ElevenLabs and Twilio. More information on these subprocessors can be found on CanIPhish's Security & Compliance Page.
- Agency Agreement: You will be notified that, as part of the Voice Phishing activation process, CanIPhish requires consent to send and receive voice calls that will appear to originate from your organization, solely for the purpose of conducting voice phishing simulations at your direction.
- Supported Countries: You will be notified of which countries CanIPhish supports outbound phone calling to. CanIPhish manually reviews each country's spam and telecommunication regulations to ensure compliance prior to adding a country to the supported countries list. See the FAQs at the bottom of this page for more information on which countries are supported.
- Additional Resources: You will be provided with links that lead to a series of additional resources, such as an implementation overview for administrators, a guide explaining the benefits of voice phishing to executives, and a guide explaining what end-users can expect when they participate in simulated voice phishing campaigns.
To request the activation of voice phishing functionality, you must agree to these terms and conditions. Additionally, you will be asked for a few pieces of information, such as who will be providing sign-off for the agency agreement and the formal name of your organization.
1.3. CanIPhish Review The Voice Phishing Activation Request
Once the request to activate voice phishing has been received, a member of the CanIPhish team will manually review the request before activating voice phishing.
1.4. Agency Agreement Signed (Only Required By Partners)
This step is only required for CanIPhish Partners. CanIPhish need the Agency Agreement to be accepted by the end-customer and this cannot be delegated to Partners as the upstream provider. Partners will receive a formal Agency Agreement via DocuSign and must send this to a representative at the end-customer organisation for signing. Once the agency agreement is signed, a member of the CanIPhish team will do a final review of the voice phishing activation request before counter-signing and fully executing the agency agreement. This final review may take 24-48 hours.
1.5. Voice Phishing Functionality Is Activated
Once all prerequisites are met, voice phishing functionality will be enabled, and you can proceed with Step 2. You will receive an email notification once voice phishing has been activated.
Step 2.How To Verify Employee Phone Numbers
To enable voice phishing simulations, employees must complete a double opt-in consent process. This involves:
- Adding employee phone numbers to one or more employee lists.
- Verifying those numbers to trigger the opt-in consent email.
- Employees providing consent, through a double opt-in consent process which verifies phone numbers over email and SMS.
This process is initiated by an admin and completed by each employee.
2.1: Add Employee Phone Numbers (Performed by Admin)
You can add phone numbers to existing employee lists or create a new employee list. Phone numbers can be added manually or through a directory sync with Entra ID or Google Workspace. To view what information is within the Phone Number field, click the Phone Number link in the "Toggle fields" section highlighted in red below:
Note: Phone Numbers must be provided in E.164 format (i.e. all phone numbers must start with a plus sign (+) followed by the country code). For example, Australian numbers start with +61 and US numbers start with +1.
2.2: Phone Number Verification (Performed by Admin)
- To begin the opt-in process for voice phishing participants:
- Go to the Employees page and click the Verification button.
- Open the Phone Number Verification tab.
- Choose the employee list(s) containing those you want to verify.
- Click Save Configuration.
- When prompted, click Yes, apply the update.
- Every employee in the selected list with a valid phone number will now receive the initial opt-in email.
Note: By default, if an employee hasn't explicitly provided or declined consent, they will receive a reminder email every 7 days, with a maximum of 5 reminders being sent. After this, manual reminders can be sent a further 5 times.
2.3: Double Opt In Consent (Performed by Employee)
- The employee will receive an email prompting them to opt in. They need to click "VIEW MORE DETAILS AND PROVIDE CONSENT"
- They will land on the consent page. From here, they can click I Consent
- They will receive a text (SMS) message with a 6-digit code, which they can enter into the Consent Code field.
- They can now click Submit Consent Code
- The employee is now verified and opted in
Note: It's recommended to make your employees aware of this consent request prior to it being sent so they aren't caught off-guard and decline or ignore the consent request.
Step 3. How To Create A Voice Phishing Campaign
Creating a voice phishing campaign is just like creating a regular email phishing campaign.
- Click New Campaign
- Go through the Initial Setup & Employee Selection as usual
-
Select Voice Phishing in the top bar to expose the voice phishing templates. From here, continue as usual.
Frequently Asked Questions
Why Can't Voice Phishing Be Fully White-Labelled?
To comply with global spam and telecommunication regulations both the recipient of simulated voice phishing calls, and the organization that we are masquarading as, need to provide explicit consent to CanIPhish as the underlying provider that is facilitating the service. Unfortunately this consent cannot be delegated to upstream providers such as an MSP, and then inherited downstream to CanIPhish. Accordingly as part of the activation and employee consent process, the CanIPhish brand will be exposed to the end-user organization.
Why Do I Need To Verify Employee Phone Numbers?
Simulated voice phishing differs significantly to simulated email phishing, notably in terms of how the phishing material is sent. With simulated voice phishing, employees personal mobile phones are in-use, and the phone calls are conducted over traditional telecommunication lines which are heavily regulated. This differs from email phishing in that all email inboxes wholly are managed by the organization.
Because of these differences, employees must demonstrate to CanIPhish that they wholly consent to participate in simulated voice phishing exercises.
What Countries Is Voice Phishing Available In?
The CanIPhish team manually reviews country-specific spam and telecommunication regulations to ensure voice phishing simulations are conducted in a safe and compliant manner. As it currently stands, voice phishing simulations can be conducted in 65 countries. To see the full list of countries, please refer to our Voice Phishing Compliance & Legal Statement.
Note: CanIPhish will continue adding to this list as each countries spam and telecommunication regulations are reviewed to ensure compliance.
Does Requiring Consent From Employees Remove The "Surprise" Factor Of Phishing Simulation?
To a small degree yes, but overall no. Providing consent is a point-in-time process, but once consent is provided it's valid for 24-months (unless an explicit opt-out occurs in that time), and in that time many voice phishing campaigns can take place.
In the end, you need to consider that voice phishing simulations are a means to an end, and that end is to make employees more vigilant and suspicious of unsolicited/unexpected phone calls from unrecognized numbers. Whether they are expecting the call or not, the end result will be the same, in that employees will become more cautious and wary when receiving phone calls.
Why Can I Only Masquerade As My Organization And Not Others In Voice Phishing Simulations?
With simulated voice phishing, employees personal mobile phones are in-use, and the phone calls are conducted over traditional telecommunication lines which are heavily regulated. Most countries spam and telecomunnication regulations stipulate that callers must clearly identify who they are, and not misrepresent themselves when conducting phone calls. CanIPhish is able to navigate this by obtaining a signed Agency Agreement from your organization which stipulates that we can formally represent your organization for the purpose of conducting simulated voice phishing calls at your direction.
Comments
0 comments
Please sign in to leave a comment.