Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate because AI voice cloning tools are widely accessible and vishing is a confirmed, growing loss category, but exploitation of any specific organization depends on attacker targeting — mass campaigns are documented while targeted deep-impersonation requires deliberate effort. Impact is high because a successful vishing call impersonating an executive, IT, or financial authority can directly authorize wire transfers, credential resets, or access changes — consequences that are immediate, financial, and difficult to reverse.
Treatment rationale: The threat vector is active and financially material, avoidance is impractical (phone-based business communication cannot be abandoned), and the residual risk after mitigation — layered callback verification, out-of-band authorization controls, and platform-level defenses — is reducible to an acceptable level without transferring the core operational exposure.
Third-Party / Supply-Chain Risk
Organizations relying on carriers, UCaaS providers, or BYOD Android fleets that have not yet received the RCS authentication feature inherit a deployment dependency: protection is conditional on Google's rollout cadence, carrier RCS support, and device eligibility (Android 12+, Pixel-prioritized). Third-party telephony platforms (softphone, Teams, Zoom Phone, SIP trunks) are entirely outside this control's coverage and represent unmitigated exposure for vishing delivered over non-RCS channels. Per NIST SP 800-161 framing, any shared communication platform or managed mobility provider should be assessed for RCS readiness and alternative compensating controls.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M per incident for organizations with phone-authorized financial or privileged-access workflows; lower for organizations with strong out-of-band verification controls already in place
Frequency: Illustrative 1–3 targeted vishing attempts per year for a mid-to-large enterprise; materially higher for organizations with publicly known decision-makers or documented M&A / financial activity that provides social engineering context
Annualized: Illustrative ALE framing: at a moderate success rate assumption (1 successful event per 3–5 years given partial controls), annualized loss exposure is illustratively $100K–$1.7M — this range widens significantly for organizations without callback verification or segregation of duties on high-value authorizations
Basis: Estimate is derived from the threat profile (AI voice cloning enabling impersonation of known executives or IT personnel), the consequence class (wire fraud, unauthorized access, credential compromise), and the control gap (phone-based authorization without out-of-band verification). No third-party dollar-figure reports were used. Range reflects variance in organizational control maturity and attacker targeting specificity.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Vishing-enabled wire fraud or unauthorized access may trigger crime or social engineering endorsement clauses under cyber or financial-institution bonds — verify with broker whether coverage applies and whether a standalone social engineering sublimit is in force.
• If a successful AI voice impersonation attack results in a credential reset leading to data exfiltration, breach-notification obligations may be implicated depending on jurisdiction and data affected — verify with counsel before any notification determination.
• Executive impersonation enabling fraudulent payment authorization may invoke fidelity bond or computer-fraud coverage conditions requiring timely notice — verify with broker and counsel regarding notice obligations and timelines.
