While phishing has always been a concern, those looking to do harm have branched out to expand upon this. They’ve gone back to old-school methods and are using vishing phone scams once again because so many people are remote working. Read on to learn more about vishing and how you can stay protected.
What Is Vishing?
Security experts at McGallen & Bolden Pte Ltd. have warned that vishing is being resurrected, bring forward a joint cybersecurity advisory issued by the FBI and Cybersecurity & Infrastructure Security Agency (CISA).
The vishing phone scams are basically voice phishing by phone. Bad actors register domains and create phishing pages that copy a company’s internal VPN login page. They look to steal two-factor authentication or one-time passwords and even obtain Secure Sockets Layer certificates for the domains that were registered.
Dossiers on the employees are compiled at the companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research information. They collect the name, home address, personal phone number, position at the company, and time at the company.
VoIP numbers are used to call the targeted employees on their personal phones. Spoofed numbers of other offices and employees are later incorporated. Social engineering techniques are used, as well as methods to post as the company’s IT help desk to gain the trust of targeted employees. They are convinced that a new VPN link will require their login with any 2FA or OTP they use.
The bad actors then use this information to gain access to the employee’s account. They may do further research for more victims or steal money from the platform.
Advised Mitigations for Vishing Phone Scams
With the global health crisis leading to more people working from home, the joint cybersecurity advisory says it’s “resulted in a mass shift of working from home, resulting in increased use of corporate VPN, and elimination of in-person verification, which can partially explain the success of this campaign.”
The FBI and CISA suggest the following tips to protect you and your company from vishing phone scams:
- Restrict VPN connections to managed devices only
- Restrict VPN access hours where applicable
- Employ domain monitoring to track the creation of changes
- Scan and monitor web applications for unauthorized access
- Employ the principle of least privilege, implement software restriction policies, and monitor authorized user access and usage
- Use a formalized authentication process for employee-to-employee communications made by phone
- Improve 2FA and OTP messaging to reduce confusion about authentication attempts
The coronavirus pandemic has shaken the whole world and turned it upside down, like a giant snow globe. Life is topsy turvy and nothing like we would have expected. This has caused us to make many changes in our daily lives. We have to remain on guard of protecting our personal and corporate safety just as we are our physical safety with mitigations such as wearing masks and social distancing.
Read on to learn what to do if you unknowingly give away your credentials
