Tip 8: Establish a Business “Safe Word” to Verify Unexpected Calls

Voices can be faked. Caller ID can be spoofed. A pre-shared safe word is something an attacker cannot know – and it costs nothing to implement.

What to do:

• Pick a word or short phrase that isn’t obvious and doesn’t exist anywhere in writing, and share it only verbally with your team.
• Establish a rule: any unexpected call requesting sensitive action (wire transfer, credential reset, access grant, financial information) requires the caller to provide the safe word before anything is done.
• Change the word if you ever suspect it’s been compromised.

Common mistake: An employee gets a phone call that sounds exactly like the owner of the company. The voice, the tone, the phrasing – all identical. The “owner” says there’s an emergency and a wire transfer needs to happen immediately. The employee acts because it sounds completely real and the request feels urgent.

This attack – sometimes called vishing, sometimes CEO fraud – cost U.S. businesses $2.9 billion last year alone.

It doesn’t require sophisticated hacking. It requires a voice recording and a convincing script. A safe word is a layer of verification that no AI can replicate because it was never recorded.

How to know it’s done:

• Your team has a shared safe word used to verify unexpected requests over the phone
• Employees know the rule: if someone can’t provide the safe word on an unexpected call, the request waits until identity is confirmed another way