Voice phishing plays a dangerous part in cybersecurity attacks
Phishing is a longstanding attack method used by hackers to steal personal data. Its modern counterpart, “Vishing,” operates with the same principle: steal personal data and info. Vishing is when third-parties attempt to hijack info but with voice calls. Like phishing, it uses social engineering to compromise security.
In a nutshell, Vishing callers pose as a trusted person and seek to gain valuable info about the receiver and/or company. According to the FBI and CISA, this trend has risen since July 2020. The increase is a direct result of companies utilizing remote working solutions. Remote working solutions required mass adoption, but, do not have the same security standards as a robust IT network.
During the mentioned attacks, hackers stole credentials and sold access information to third-parties.
In an effort to help you identify and protect your business data from these attacks, we’ll break down “vishing” and how to keep your staff safe.
The nature of the vishing attack
Hackers targeting companies deployed a several-step method to compromise information. Initially, they registered domains to appear official or maintaining third-party resources. According to reports, the structure of these demains had similar structures:
- Support
- Ticket
- Employee
- Company (Support)
Primarily, the goal was to make the landing page appear as a company’s internal VPN resource, with the goal to hijack 2FA (two-factor authentication) passwords and one-time activation codes. Thus, the plan was to send staff to these falsified domains in an attempt to compromise information later used for a cybersecurity breach.
Once established, third-parties worked to collect data about staff, creating “dossiers” to identify weak links. Hackers also used massive data hunting techniques, such as researching social media accounts, finding publicly available info, background-checking info, and available security check resources.
As the report explained, this info detailed various tidbits about staff depending on what was publicly available, such as full name, home address, their company position, their personal number(s), and how long they were at the company (or still are).
Standard fair for malicious third parties thus far. These methods are common with phishing attacks and other social-engineering schemes. Once collected, the attackers would use this data to launch falsified VoIP calls at specific staff. Combined with the social-engineering methods, the callers would pose as either staff of a company or even virtual IT assistance. During the calls, the located info was used to quickly gain the trust of the recipient.
If successful, typically the caller would then convince the staff member a new link to VPN resources was sent to them. In reality, that resource was the compromised phishing domain. If accesses, workers unknowingly gave away 2FA codes.
The consequences
Once breached, hackers utilized the stolen credentials to sift through business networks. Afterward, they stole information ranging from account data and in some cases even financial information.
As another example highlighting the dangers of social engineering, protecting your remote networks is critical. Fortunately, the FBI and CISA have a list of tips to keep in mind.
For Remote Network Management
- Reduce and restrict access to VPNs to only verified parties
- Reduce time users are allowed to stay on a company VPN
- Utilize network monitoring to check for unusual activity
- Scan for any abnormal activity, including adjustments to files, programs, software, and logins
- Enable software restriction based on staff (such as remote workers should have limited access to business software depending on their tasks)
- Enable secondary authentication requirements for staff-to-staff communication through phone contacts to help reduce confusion and improve security
- Inform workers about vishing and phishing attacks
For Remote Workers
At-home workers can use different techniques to protect themselves outside of company requirements.
- If receiving a link from a contact, always double-check the spelling and domain link
- When viewing a link, cross-reference this with your business to make sure it’s verified
- Practice caution first, if you’re not 100 percent certain a link or contact is safe, defer to management
- Do not provide information to random, unplanned calls or messages from unknown parties, and be extra suspicious of unsolicited calls
- Keep bookmarks of your company approved VPN websites (and all other relevant company resources)
- Use an office device for company work instead of a personal one to reduce risk of losing sensitive data
- Keep all anti-virus platforms updated
- Clean up social media accounts and limit access to who can see them
Bottom line: it comes down to extra precautions taken by both user and company networks. Always double check contacts and links and, if you’re not entirely certain about something, err on the side of safety.
If you’d like additional assistance for strategies and company protection, contact Bytagig for more information.
