Vishing attacks (phishing via phone) have become a serious infosec threat impacting both public and private sectors across every vertical. Vishing techniques are increasingly sophisticated and can now more easily bypass many organizations’ prevention
tactics to exploit employees. Security teams must understand how the latest vishing methods target their organization, the risks involved, and how best to update their anti-phishing strategies.
This piece provides an overview of current vishing attack techniques and how they impact businesses to help identify attacks and build a comprehensive anti-phishing strategy.
How Vishing Targets Business
In the past, vishing focused on convincing consumers to divulge sensitive information, like banking account info, credit card numbers or passwords. As reported by the FBI, vishing attacks have aggressively targeted business since the shift to remote work—leaving
both remote and office employees at greater risk. To make matters worse, many security teams are not adequately prepared for a vishing attack and its resulting impact on the business.
Examples of Vishing Attacks Against Businesses
Research – Setup – Call – Attack
Vishing attacks usually begin with a call to an employee’s business or mobile number, and they often end by funneling the employee’s sensitive information directly to the attacker. However, much work goes on behind the scenes to execute
a successful “vish.”
Vishing attacks gained traction against businesses in early 2020, when a notorious vishing campaign targeted specific companies through fake VPN sites to gain internal VPN logins. Attackers created employee profiles with social engineering tactics and
posed as an IT employee using spoofed numbers. They advised victims to sign into the “new” VPN page, and once they did, hackers stole their credentials and used them to access the organizations’ networks.
This method together with a lack of in-person verification made VPN attacks very rewarding and instantly popular for attackers. A prime example was the Twitter account breach in mid-2020, which used social engineering and vishing focused on well-known
public figures and resulted in major bitcoin fraud. Similar techniques worked successfully on several different industries, and now vishing attackers work as groups, offering less-skilled attackers a range of specialized services, from intel
gathering to voice acting.
Vishing attackers are highly trained and organized, and use increasingly creative tactics to take advantage of vulnerable security protocols and trusting employees. Besides VPN campaigns, other traditional vishing techniques include:
- VoIP and caller ID spoofing: Creating fake numbers that appear to be local with caller ID to pose as IT staff and convince employees into giving up their passwords.
- War dialing: Using software to call specific groups, leaving urgent voicemails regarding a security issue and prompting the victim to call back.
- Stealing Information: Going through company trash to find sensitive documents and emails to help create convincing vishing conversations.
How Vishing Attacks Impact Business
Vishing can have a deep impact to an organization, beyond just stolen login credentials, passwords, account numbers and proprietary data. For example, it can lead to ransomware attacks when the visher sells the stolen credentials on the dark web. Vishing
also lays the groundwork for hackers to launch other secondary crimes including:
- Delivering malware and ransomware
- Data theft
- Cyber extortion
- Financial theft and fraud
- Malicious deletion and general disruption of a business for spite
Hackers can sometimes manage to gain unrestricted access to your entire network, placing all the organization’s data at risk.
READ: Understand the Differences Between Spear-Phishing and Phishing
Prevent Business Vishing Attacks
Vishing tends to fly under the radar. Fake VPN sites disappear after an attack and employees may not report suspicious phone calls. Vishing attacks focus on high-value business targets, such as call centers, IT administrators, accounts payable, sales,
HR, executive management and especially employees new to the company. An initial vishing prevention checklist includes:
- Update awareness programs with simulations to train employees to spot vishing
- Use technology to block unknown numbers and robocalls
- Add mobile apps to route calls to your company’s VoIP
- Adopt MFA on all services and accounts or use FIDO tokens
- Restrict VPN connections to company-managed devices only, and block all others
- Limit VPN access with time windows and geolocation rules
- Employ domain monitoring to help prevent domain spoofing
- Scan and monitor web applications for unauthorized access and suspicious activity
READ: How to Conduct Vishing Test Exercises
Prepare the Business for Vishing Attacks
Vishing attacks are so well organized and executed that security teams should work now to ensure employees are properly trained and have a security strategy in place. Awareness is your first and strongest defense against vishing. Training should include
strict security protocols about exchanging information, especially around IT VPNs, logins and financial accounts. Let employees know it’s OK to end suspicious calls and report the call as a vish. This helps IT security teams build effective
anti-vishing programs to stop vishing before it causes damage.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.