Fraud Alert: Have You Heard About New Vishing Attacks?

For years, businesses and individuals have had to worry about so-called “phishing” scams sent via email or text. These cyberattacks are designed to hook unsuspecting victims into revealing sensitive information. Now there’s a new twist aimed largely at small businesses: Voice phishing scams (also known as “vishing” using social engineering). A recent alert from the Cybersecurity Infrastructure Security Agency (CISA), acting in conjunction with the Federal Bureau of Investigation (FBI), provides the details.

Vishing Expeditions

In the classic phishing scam, scammers use email or text messages to trick someone into revealing sensitive information. Fraudsters may target individuals to gain access to their passwords, account numbers, Social Security numbers (SSNs) and other sensitive personal data. Phishing scams also may target employees to gain access to their employers’ networks. Once inside, they can steal electronic records containing employee or customer data, install malware or ransomware, and/or hijack the company’s records, such as customer lists, financial records, account numbers, trade secrets and in-progress R&D projects. In vishing scams that target the business sector, a scammer calls on the phone and may use intimidation to convince the employee to provide access. In some cases, the scammer may pose as a coworker from the company’s IT department who’s been assigned to install a software update that’s actually malware.

Uptick in Cases

Vishing scams have been around for years. But the proliferation of employees working from home during the novel coronavirus pandemic has led to a significant uptick in these scams in 2020. Why? At-home networks are often less secure than in-office networks — and some companies haven’t had the time or resources to update their security protocols for remote access. Fraudsters have seized this opportunity to target stay-at-home employees. Vishing attacks gained momentum over the summer, according to the CISA advisory. The fraudsters typically exploit holes in the security system of virtual private networks (VPNs) set up to accommodate employees working from home. Here are four steps involved in a typical vishing scam:

1. The so-called “visher” creates a website that replicates or closely resembles the company’s VPN login page. Then he or she obtains a secure socket layer (SSL) certificate for the domain and names it with a combination of the company’s name and words such as “support” or “employee.”

2. The visher compiles a dossier on an employee, including the employee’s full name and address, phone number, and position at the company. This information can often be obtained from public profiles on social media platforms, recruiter and marketing tools, publicly available background check services and other resources.

3. The visher contacts the employee through a voice over Internet protocol (VoIP) number or a fake phone number from other employees and departments from the company. Typically, the scammer will impersonate IT help desk workers and gain the employee’s trust using the dossier of personal information.

4. The visher convinces the target that he or she will receive a new VPN link that requires login information. This may include two-factor authentication, a solo password or both. In some cases, the prompt is approved by an employee who mistakenly believes access had been granted earlier to the IT desk impersonator. In other cases, hackers employ SIM swapping attacks to circumvent security measures.

When this process is complete, the company’s proprietary and trade secret information is exposed. This could lead to substantial ransom costs, forensic fees and expenses, employee and customer notice obligations and even liability for security breaches.

Preventing an Attack

Fortunately, the CISA advisory does more than just alert the business sector to the potential dangers of vishing. It also outlines the following steps for companies to take for greater protection against these sophisticated attacks.

• Restrict VPN access hours and VPN connections to managed devices only. Use mechanisms like hardware checks or installed certificates, so user input alone isn’t enough to access the corporate VPN.
• Employ domain monitoring to help you track the creation of, or changes to, corporate, brand-name domains.
• Actively scan and monitor web applications for unauthorized access, modification and anomalous activities.
• Employ the principle of least privilege and software restriction policies.
• Monitor authorized user accesses and usage.

In addition, employers might consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.

Team Effort

At many workplaces, remote working arrangements are expected to outlast the COVID-19 crisis — and cybercriminals will continue to find ways to exploit home-based networks. Employees are your company’s first line of defense against cyberattacks. Cybersecurity training can help update employees on proper network use, security issues and when to call a secure IT number. Remind employees to be suspicious of any request for their logins and credentials or other personal information. Provide detailed instructions for contacting the appropriate personnel if they have any security concerns. Your company’s professional advisors can also be valuable assets as your company adjusts to work-from-home arrangements and help fortify your company’s cybersecurity measures.