Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityLogical SecuritySecurity & Business ResilienceSecurity Education & Training

A CISO’s Guide to Robocall Mitigation: Applying MITRE ATT&CK to Voice-Based Threats

By Tiffany Pressler
Red rotary phone
Miryam Len via Unsplash
July 1, 2026

Robocalls have evolved far beyond consumer annoyance. Today, they serve as a scalable social engineering channel for fraud, credential theft, account takeover, and operational disruption.

Voice-based attacks are increasingly targeting the operational workflows that organizations trust most: help desks, identity recovery workflows, payment approvals, and customer support escalation paths. For many organizations, these threats remain in a gray area among telecom operations, fraud prevention, and cybersecurity. That separation no longer reflects how attackers operate.

Most enterprises already treat email as a managed attack surface that requires layered controls, authentication, monitoring, and policy enforcement. Voice communication increasingly requires the same layered approach.

MITRE ATT&CK recognizes voice phishing through Spearphishing Voice (T1566.004), yet many organizations still rely primarily on awareness training to address the problem. Training remains important, but attackers routinely exploit urgency, authority, and procedural weaknesses to pressure employees into taking legitimate actions on behalf of an adversary.

The challenge for security leaders is no longer simply blocking unwanted calls. The larger issue is reducing successful attack conversion across the business processes that voice attacks are designed to exploit.

Why Voice Attacks Continue to Succeed

Robocalls remain effective because they combine scale, low cost, and credibility.

One FCC estimate found that the average U.S. consumer receives approximately 13 spam or fraud calls each month. FTC data cited by the FCC reports median losses of roughly $1,480 per victim through phone-based fraud.

The scale remains significant. YouMail reported 52.5 billion robocalls in 2025, including more than four billion in December alone. U.S. PIRG also reported that spam robocalls reached a six-year high in 2025, while many voice providers still had not fully implemented required caller authentication and mitigation measures.

Attackers continue to succeed because voice communications bypass many of the protections businesses have built around email, browsers, and endpoints. In most cases, the attack relies less on technical compromise and more on manipulation. Calls are designed to create urgency, establish authority, or trigger fear of account compromise to influence behavior.

The underlying weakness is often procedural. Help desk resets, payroll changes, MFA recovery workflows, and customer support escalations can all become entry points when identity verification relies too heavily on caller credibility rather than validated controls.

Emerging voice cloning and deepfake capabilities may further increase the effectiveness of impersonation-based attacks. PIRG has identified AI-generated voice impersonation as a growing concern.

Treating Voice as a Security Control Problem

Many organizations still approach robocalls primarily as an awareness issue. That approach leaves important gaps.

Awareness training is important, but it should not serve as the primary line of defense. Attackers consistently refine scripts, timing, and impersonation techniques specifically to overcome skepticism.

Voice threats should instead be treated as a systems and control problem.

Most successful attacks exploit operational weaknesses rather than telecom infrastructure itself. If a sensitive action can be completed because a caller sounds convincing, attackers will eventually target that process.

The same layered security principles used to protect email environments apply equally to voice communications. Organizations should apply authentication signals, strong identity proofing, workflow validation, escalation controls, and anomaly detection to voice-driven interactions just as they do in other parts of the enterprise.

Organizations that treat voice solely as a telecom issue often overlook the business processes targeted by voice attacks.

Applying MITRE ATT&CK to Voice-Based Threats

MITRE ATT&CK provides a useful framework for understanding how robocall and vishing campaigns align with broader adversary behavior.

Voice attacks commonly map to several ATT&CK tactics, including Initial Access, Credential Access, Defense Evasion, and Impact.

MITRE specifically identifies Spearphishing Voice (T1566.004) as a recognized phishing technique. ATT&CK also documents callback-driven phishing scenarios in which victims are persuaded to contact attacker-controlled phone numbers and are then instructed to disclose credentials, install remote access tools, or visit malicious websites.

Using ATT&CK helps security teams map where voice attacks establish trust, bypass verification, and create operational or financial impact.

That perspective shifts robocalls from a nuisance issue to a measurable enterprise risk.

Building a Layered Mitigation Strategy

Effective robocall mitigation requires multiple layers of defense. No individual control fully addresses the problem.

Caller authentication frameworks such as STIR/SHAKEN provide useful trust signals, but they should not be treated as definitive proof that a call is legitimate. The FCC has acknowledged that non-IP network segments continue to create authentication gaps that can be exploited.

Organizations should combine authentication signals with analytics, blocking controls, and Do-Not-Originate protections to improve visibility into suspicious activity.

Emerging spoof-protection technologies are also beginning to address one of the most persistent challenges in voice fraud: unauthorized use of legitimate enterprise phone numbers.

At the operational level, organizations should focus heavily on the workflows most frequently targeted by attackers. Password resets, MFA enrollment, vendor payment changes, payroll modifications, and account recovery procedures should require stronger verification controls, including step-up authentication and out-of-band confirmation where appropriate.

High-risk actions should not rely solely on voice or SMS-based verification.

Customer support and help desk teams also require specialized training around common vishing tactics, including authority impersonation, OTP harvesting, callback fraud, and escalation pressure. Incident response plans should explicitly account for voice-driven fraud scenarios, including financial containment and validation procedures.

Measuring Meaningful Outcomes

Many robocall mitigation programs still focus primarily on blocked call volume. That metric alone provides limited insight into actual risk reduction.

More meaningful measures include prevented account takeovers, blocked reset attempts, prevented payment reroutes, time to detection, and visibility into authentication quality across call paths.

The goal is not to eliminate every unwanted call. The objective is to reduce successful attacker conversion while preserving legitimate business communications.

CISO Voice Security Readiness Checklist

  • Governance: Voice is treated as an attack surface with shared ownership (Security + Telecom/Unified Communications + Fraud/Finance + Contact Center).
  • Identity/Access: High-risk actions avoid voice/SMS OTP when possible; step-up verification protects resets and enrollment  
  • Help Desk: Account recovery requires strong identity proofing (not just caller credibility)
  • Finance: Vendor bank and payroll changes require dual approval and out-of-band verification
  • Telecom Controls: Caller authentication signal gaps (including non-IP segments) are understood; call spoof protection, branding, analytics, and DNO lists are in place
  • Training: High-risk roles get vishing-specific training and simulations (urgency, authority, OTP harvesting, call transfers)
  • Metrics: Program tracks prevented conversions (stopped fraud attempts), not only blocked call volume

The Takeaway

Organizations that continue treating robocalls as someone else’s problem because they originate outside the traditional network perimeter will remain vulnerable to voice-driven fraud and social engineering.

Voice communications are now part of the enterprise attack surface.

Security leaders should model robocall and vishing activity using frameworks such as MITRE ATT&CK, strengthen the workflows attackers routinely target, and apply layered verification controls that reduce successful impersonation without disrupting legitimate communications.

Appendix: Robocall/Vishing ATT&CK Mapping

ATT&CK Tactic

Technique(s)

Robocall/Vishing Behaviors

Defensive Focus

Reconnaissance (TA0043)

Victim Identity Information (e.g., T1592)

Harvest phone numbers, roles, vendors; time attacks to payroll/IR cycles.

Reduce exposed contact info; monitor leakage; limit public role details; train high-risk roles.

Resource Development (TA0042)

Acquire Infrastructure (e.g., T1583)

Stand up VoIP/SIP trunks, lease numbers, rotate identities.

Telecom account vetting; anomaly and velocity analytics; enforce supplier controls.

Initial Access (TA0001)

Phishing (T1566) / Spearphishing Voice (T1566.004)

Impersonation, urgency; 'press 1'; callback numbers; transfer to live agent.

Vishing training; verified callback paths; contact-center scripts; label/block using authentication + analytics.

Defense Evasion (TA0005)

Masquerading (e.g., T1036)

Caller ID spoofing/laundering; exploit non-IP authentication gaps.

Preserve and inspect authentication signals; address non-IP segments; apply DNO lists; gateway controls.

Credential Access (TA0006)

Credential/OTP harvesting (voice-driven)

Collect OTPs/PINs; 'fraud alert' social engineering; push MFA approvals.

Step-up auth; avoid voice OTP for high-risk actions; strong proofing for resets; fraud playbooks.

Command and Control (TA0011)

Interactive control (conceptual mapping)

Bot-to-human handoff; repeated callbacks; persuasion loop.

Detect repeated targeting; throttle suspicious patterns; rapid escalation and reporting paths.

Impact (TA0040)

Financial Fraud (e.g., T1657)

Wire/payroll diversion, account takeover, call-center flooding, reputational harm.

Dual approval; out-of-band verification; incident response for voice fraud; track prevented conversions.


Note: Mapping is an applied security interpretation to guide enterprise controls; telecom implementations vary by provider and call path.

KEYWORDS: fraud fraud mitigation robocalls robots social engineering voice fraud

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tiffany pressler headshot

Tiffany Pressler, Product Leader at First Orion. Image courtesy of Pressler

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Cybersecurity
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Career Intelligence
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Trophy and soccer ball

Security Experts Discuss Threats to FIFA World Cup 2026

Soccer stadium

How the Current Iran-US Conflict May Impact World Cup Security

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Neighborhood

Residential AI Data Centers: Security, Privacy, and Governance Concerns

Officers at an event

The 2026 FIFA World Cup Will Test Security Operations Like Never Before

SEC 2026 Benchmark Banner

Events

July 8, 2026

The 2026 Security Maturity Benchmark Report: Insights From Senior Security Leaders

LIVE: July 8, 2026 at 2 pm EDT In this webinar, speakers will share key insights from the report, including why today’s threat environment demands greater maturity and how to evaluate your organization’s current security posture.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • cyber security network

    Best practices in applying MITRE ATT&CK to your organizational security

    See More
  • cyber hack

    Digital Shadows maps out MITRE ATT&CK to SandWorm APT's campaign

    See More
  • information sharing meeting

    A CISO's guide to information sharing

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • A Leaders Guide Book Cover_Nicholson_29Sept2023.jpg

    A Leader’s Guide to Evaluating an Executive Protection Program

  • The Complete Guide to Physical Security

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing