Vishing attacks are on the rise, according to federal officials, and can cause real harm to people and businesses. This article from your team at Rush Tech Support is sharing the latest and offers some tips.
Vishing attacks are related to phishing scam attacks and try to dupe people into turning over personal information through a fake, but realistic sounding and looking phone call. The V in vishing attacks stands for “voice” as in somebody or a robotic voice calling you.
How do vishing attacks work?
Vishing attacks often spoof phone numbers which means the calls show up with a legit-looking phone number. For example, our marketing team once received a phone call apparently from the court in Chicago, claiming there was an open claim. The call came after-hours and displayed the actual phone number of the court.
Even calling the number back got us to the actual courthouse and its voice message – after all it was after 5. The numbers in vishing attacks look real, but the callers aren’t. They are scammers. Since it’s after-hours, you can’t even verify right then whether or not you actually have to address something. The scammers of course build on that urgency and potential fear. Next, they usually ask you for some type of personal information.
[Tweet “Vishing attacks try to look real so you reveal personal information over the phone.”]
The same setup is now trending up with so many people working remotely due to the COVID-19 pandemic, according to federal officials. Even the recent Twitter hack which prompted Twitter to restrict some accounts for a few hours was perpetrated via vishing tactics.
Let’s assure you are safe from vishing attacks
Call (888) 965-0171 to get assistance now. We will review your network, settings and make sure you are secure. You can also fill out the form.
How are these attacks happening to remote workers?
With more remote workers there’s been an increase in VPN use for businesses and now an increase in vishing. Once scammers were able to grab employee credentials they:
“… mined the victim company databases for their customers’ personal information to leverage in other attacks. The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme.”
But how did they get those credentials to begin with? The reported methodology is quite elaborate. According to officials:
“The initial steps of this vishing campaign followed a common thread. Actors registered domains and created phishing pages duplicating a company’s internal VPN login page, also capturing two-factor
authentication (2FA) or one-time passwords (OTP). Actors also obtained Secure Sockets Layer (SSL) certificates for the domains they registered and used a variety of domain naming schemes.”
“Actors then compiled dossiers on the employees at the specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background.”
“Actors first began using unattributed Voice over Internet Protocol (VoIP) numbers to call targeted employees on their personal cellphones, and later began incorporating spoofed numbers of other
offices and employees in the victim company. The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the
employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee. The actors then convinced the targeted
employee that a new VPN link would be sent and required their login, including any 2FA or OTP. The actor logged the information provided by the employee and used it in real-time to gain access to
corporate tools using the employee’s account.”
Some employees would then approve the two-factor authentication request, which allowed scammers to get in.
[Tweet “2FA will only work if you don’t give your code to scammers!”]
How to prevent vishing attacks?
The federal officials are offering the following tips and practices:
- Restrict VPN connections to managed devices only. Use mechanisms like hardware checks
or installed certificates. User input alone should not be enough to access the corporate VPN. - Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name
domains. - Actively scan and monitor web applications for unauthorized access, modification, and
unusual activities. - Employ the principle of least privilege and implement software restriction policies or other
controls; monitor authorized user accesses and usage. - Consider using a formalized authentication process for employee-to-employee
communications made over the public telephone network where a second factor is used to
authenticate the phone call before sensitive information can be discussed. - Improve 2FA and OTP messaging to reduce confusion about employee authentication
attempts.
How common are these attacks?
They are common and are trending up. In the 2019 internet crimes report which we covered here, vishing attacks are listed in the most common internet crimes category along with phishing. In 2019, there were over 114,000 victims.
But there are ways to not fall victim. Practice good information technology security and be wary of unsolicited phone calls. Don’t give out personal information, limit what you post on social media.