Fraud Alert: Have You Heard About New Vishing Attacks?
Kirsch CPA Group
Oct 19, 2020

For years, businesses and individuals have had to worry about so-called “phishing” scams sent via email or text. These cyberattacks are designed to hook unsuspecting victims into revealing sensitive information. Now there’s a new twist aimed largely at small businesses: Voice phishing scams (also known as “vishing” using social engineering). A recent alert from the Cybersecurity Infrastructure Security Agency (CISA), acting in conjunction with the Federal Bureau of Investigation (FBI), provides the details.
Vishing Expeditions
In the classic phishing scam, scammers use email or text messages to trick someone into revealing sensitive information. Fraudsters may target individuals to gain access to their passwords, account numbers, Social Security numbers (SSNs) and other sensitive personal data. Phishing scams also may target employees to gain access to their employers’ networks. Once inside, they can steal electronic records containing employee or customer data, install malware or ransomware, and/or hijack the company’s records, such as customer lists, financial records, account numbers, trade secrets and in-progress R&D projects. In vishing scams that target the business sector, a scammer calls on the phone and may use intimidation to convince the employee to provide access. In some cases, the scammer may pose as a coworker from the company’s IT department who’s been assigned to install a software update that’s actually malware.
Uptick in Cases
Vishing scams have been around for years. But the proliferation of employees working from home during the novel coronavirus pandemic has led to a significant uptick in these scams in 2020. Why? At-home networks are often less secure than in-office networks — and some companies haven’t had the time or resources to update their security protocols for remote access. Fraudsters have seized this opportunity to target stay-at-home employees. Vishing attacks gained momentum over the summer, according to the CISA advisory. The fraudsters typically exploit holes in the security system of virtual private networks (VPNs) set up to accommodate employees working from home. Here are four steps involved in a typical vishing scam:
1. The so-called “visher” creates a website that replicates or closely resembles the company’s VPN login page. Then he or she obtains a secure socket layer (SSL) certificate for the domain and names it with a combination of the company’s name and words such as “support” or “employee.”
2. The visher compiles a dossier on an employee, including the employee’s full name and address, phone number, and position at the company. This information can often be obtained from public profiles on social media platforms, recruiter and marketing tools, publicly available background check services and other resources.
3. The visher contacts the employee through a voice over Internet protocol (VoIP) number or a fake phone number from other employees and departments from the company. Typically, the scammer will impersonate IT help desk workers and gain the employee’s trust using the dossier of personal information.
4. The visher convinces the target that he or she will receive a new VPN link that requires login information. This may include two-factor authentication, a solo password or both. In some cases, the prompt is approved by an employee who mistakenly believes access had been granted earlier to the IT desk impersonator. In other cases, hackers employ SIM swapping attacks to circumvent security measures.
When this process is complete, the company’s proprietary and trade secret information is exposed. This could lead to substantial ransom costs, forensic fees and expenses, employee and customer notice obligations and even liability for security breaches.
Preventing an Attack
Fortunately, the CISA advisory does more than just alert the business sector to the potential dangers of vishing. It also outlines the following steps for companies to take for greater protection against these sophisticated attacks.
- Restrict VPN access hours and VPN connections to managed devices only. Use mechanisms like hardware checks or installed certificates, so user input alone isn’t enough to access the corporate VPN.
- Employ domain monitoring to help you track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorized access, modification and anomalous activities.
- Employ the principle of least privilege and software restriction policies.
- Monitor authorized user accesses and usage.
In addition, employers might consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
Team Effort
At many workplaces, remote working arrangements are expected to outlast the COVID-19 crisis — and cybercriminals will continue to find ways to exploit home-based networks. Employees are your company’s first line of defense against cyberattacks. Cybersecurity training can help update employees on proper network use, security issues and when to call a secure IT number. Remind employees to be suspicious of any request for their logins and credentials or other personal information. Provide detailed instructions for contacting the appropriate personnel if they have any security concerns. Your company’s professional advisors can also be valuable assets as your company adjusts to work-from-home arrangements and help fortify your company’s cybersecurity measures.

About The Author
Kirsch CPA Group is a full service CPA and business advisory firm helping businesses and organizations with accounting,…
Tags
Sign Up for Email Updates
Related Articles












Does your Business Deduct Research & Development Expenses? Major Changes Impact 2022 Taxes…
- 11-09-22
- Elizabeth Michalak






Why Have Your Financial Statements Reviewed (Even When Not Required)
- 10-17-22
- Kirsch CPA Group















Case Study: Strategic Accounting Support from Acquisition to Sale
- 09-20-22
- Kirsch CPA Group



























Prevent a Poorly Structured Chart of Accounts from Hiding Your Profitability
- 01-06-22
- Nick Roell















Entrepreneurial Mindset: Kirsch CPA Group Sets a Framework for Growth
- 10-28-21
- Kirsch CPA Group






























What Your Numbers Are Saying: Are You Listening?
Part 2: How Attractive Is Your Balance Sheet?
- 07-19-21
- Kirsch CPA Group












What Your Numbers Are Saying: Are You Listening?
Part 1: Do You Know Your Profitability?
- 06-09-21
- Kirsch CPA Group




































Using Cash Flow Forecasting to Avoid Problems & Grow Your Business
- 04-07-21
- Kirsch CPA Group









Selecting the Right Payroll System for Your Construction Business
- 04-01-21
- Kirsch CPA Group















Self-Employed May Be Eligible for COVID-Related Tax Breaks for 2020
- 03-17-21
- Kirsch CPA Group






COVID-19 Relief: Overview of the New American Rescue Plan Act for Individuals
- 03-17-21
- Kirsch CPA Group



COVID-19 Relief: Business Overview of the New American Rescue Plan Act
- 03-17-21
- Kirsch CPA Group



























Opportunity Zone Investments: A Tax Deferral Opportunity You May Have Overlooked
- 02-17-21
- Kirsch CPA Group




































The Status of Temporary COVID Tax Relief Measures After the New Law
- 01-21-21
- Kirsch CPA Group















8 Accounting Practices for a Financially Healthy Construction Business
- 01-07-21
- Kirsch CPA Group









Appropriations Law Adds Some Business Tax Breaks and Extends Others
- 01-07-21
- Kirsch CPA Group



























Contending With the Patchwork of State Requirements for Nonprofits
- 12-17-20
- Kirsch CPA Group




































Employee or Independent Contractor? The Rules May Be Getting Simpler
- 11-12-20
- Kirsch CPA Group









Do the COVID-19 Extended Deadlines for Health Plans Still Apply?
- 11-12-20
- Kirsch CPA Group












Using Remote Workers? Protect Sensitive Company Data from Exposure
- 10-28-20
- Kirsch CPA Group










































What You Need to Know About the Deferral of Payroll Tax Obligations
- 09-15-20
- Kirsch CPA Group









Hobby or Business? How to Treat COVID-19 Sideline Activities for Taxes
- 09-15-20
- Kirsch CPA Group















Monitor These 3 Things as COVID-19 Changes Your Nonprofit’s Priorities
- 08-11-20
- Kirsch CPA Group












FASB Offers Reprieve from Updated Lease and Revenue Recognition Rules
- 07-23-20
- Kirsch CPA Group






COVID-19 Crisis May Affect Tax Angles for Rental Property Losses
- 07-10-20
- Kirsch CPA Group









Last-Minute Strategies for Businesses that Deferred Filing Tax Returns
- 07-01-20
- Kirsch CPA Group









Can Your Business Survive and Even Thrive in These Trying Times?
- 06-18-20
- Kirsch CPA Group






Five COVID-19 Obstacles a Construction Company Needs to Navigate
- 06-12-20
- Kirsch CPA Group












Cash Flow Tip: Postpone Payment of Certain Federal Employer Payroll Taxes
- 04-20-20
- Sue Schloemer


















Tax Filing Deadline Remains April 15 – Payment Due Extended to July 15
- 03-19-20
- John Kirsch










































8 strategies to help you adapt to economic down turn without layoffs
- 02-24-18
- Diane Glover





















Which Research Activities Qualify for the Qualified Small Business Tax Credits
- 07-17-17
- Diane Glover





































