As people turned to remote work during the COVID-19 pandemic, cybercriminals took advantage immediately, but this time with a whole new form of phishing, called: “Vishing”.
When your phone rings, it’s sometimes hard to know who’ll be on the other end. It might be someone vishing.
What is Vishing?
Vishing is a type of social engineering. These attacks try to trick an employee into giving out confidential information via a phone call.
In other words, Vishing is the phone's version of email phishing, and uses either real-time or automated voice messages to steal confidential information. The term is a combination of "voice" and "phishing."
Vishing attacks use a spoofed caller ID, which can make the attack look like it comes from a trusted phone number that might cause the employee to pick up the phone. Vishing often uses VoIP technology to make the calls.
Vishing is an extremely useful tool for attackers, because their targets do not have time to think the situation through before providing information to the attacker and can easily be confused by alarming claims. Vishing attacks can be focused on all employees, or against employees that mainly deal with people outside the organization, such as the help desk, PR, Sales, and HR.
How Does Vishing Happen?
During a vishing phone call, a scammer uses social engineering to get you to share personal information and financial details, such as account numbers and passwords. The scammer might say your account has been compromised, claim to represent your bank or law enforcement, or offer to help you install software. Warning: It's probably malware.
Common vishing scams
When working remotely, many employees use virtual private networks (VPNs) to access corporate networks. While a VPN is supposed to add a layer of security to a company’s network, it also allows cybercriminals to get creative.
In this particular scam, a cybercriminal obtains account credentials by doing a little research, coding a page or two, and posing as a technician from a company’s IT help desk.
How the scheme works is relatively simple. Posing as an IT help desk technician, the scammer uses an unattributed voice over internet protocol (VoIP) number to contact a company’s employee (the target) about a new VPN link. Having done some research on the target ahead of time (by compiling publicly available information, including social media accounts, background check services, etc.), the malicious actor convinces the employee on the other end of the line to visit a new VPN page (one that’s a fake). Not knowing the scammer has duplicated the page, the employee then inputs login credentials and more. And, just like that, the cybercriminal gains access.
How to Combat Vishing & Other forms of Phishing Attacks
One of the best ways to combat phishing attempts is to educate your employees about the common signs of vishing. For example, your employees should be on the lookout for web links with misspellings. Frequently, a domain is off by a letter or two.
Your employees should also be suspicious of any unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. If something doesn’t seem right, the best thing for an employee to do is to hang up the phone, search for the number of the organization the caller was claiming to be from and call it.
While vishing attacks aren’t anything new, they’re becoming more sophisticated. Ctelecoms can help you educate your employees on how they can prevent phishing attacks before your data and sensitive information is stolen. Contact us today to see how we can help.