The Other Side of the Call

Matt Jezorek

2 min read
The Other Side of the Call
Photo by Vladislav K. / Unsplash

This week I got feedback that made me think. Paraphrased feedback was: "Our help desk is secure - we have MFA, biometrics, callbacks, fallback mechanisms. We're covered."

They're right. They built something smart and safe. I built similar systems at previous companies.

But it hit me: We've solved half the problem.

With enough budget and the right people, you can design secure flows for high-risk moments like password resets. The help desk can verify employees beautifully.

But help desk isn't the only one being attacked. Everyone is.

Your employees get:

  • Calls from "IT" asking them to install software, disable software, or provide information
  • Messages from the "CEO" needing urgent help
  • Calls or texts from the "CFO" for money transfers and giftcards
  • Texts from "HR" about their paycheck
  • Emails from "Security" about updates (wait, that's actually a phishing test)

While we built great systems to protect inbound verification, the other direction is wide open.

What do employees get to verify who's contacting them? Nothing. Just training and this policy:

"We will never call, text, or email asking for your account number, password, or sensitive information."

Cool. Until someone does exactly that.

Hope Is Not a Protocol

We train people to be cautious. We tell them to slow down. But we also expect them to respond fast, help teammates, and keep operations running.

Attackers exploit that tension: "I'm in an urgent meeting and need this right away."

That's the design flaw: employees must accept vulnerability just to do their jobs.

GetTrusted flips the model. Cryptographic verification that works both ways:

  • CEO asks something strange? Challenge them.
  • Employee calls help desk? Challenge them.
  • Help desk calls employee? Challenge them.

Two clicks. No memorizing policies. No guessing exceptions. Just proof: Is this really who they claim to be?

The companies in headlines - the ones who lost millions - had the same training, same policies, same hopes.

We don't need more training. We need better tools. Tools that let people work with urgency AND certainty.

The industry made huge progress protecting high-risk inbound flows. But protection is still one-sided. We've protected the castle gates while leaving the windows open.

That's what we're fixing. That's why this matters.

Read more