Here are five tips to educate everyone—especially remote workers—about phone calls aimed at phishing for contact information.
In July 2020, Twitter suffered an unprecedented attack where hackers gained access to dozens of Twitter’s most high-profile accounts, including Barack Obama, Joe Biden, Jeff Bezos, Elon Musk and others.
The attackers tweeted bitcoin requests that yielded more than US$100K in a few hours. It was later discovered that the attack was initiated by a ‘vishing’ attack that convinced Twitter employees to grant access to Twitter internal tools.
In August 2020, USA’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint advisory warning of a wave of vishing attacks targeting US private sector companies. According to the advisory, threat actors typically call employees working from home to collect login credentials for corporate networks, which they later monetize by selling the access to other groups.
This research from Check Point details how attackers use vishing to gain access to corporate systems, and describes tricks that vishers use to make their schemes more deceptive.
Key factors for a successful Vishing operation
The following three key factors help vishers improve their hit rate:
- Intelligence: they use existing employee names as a cover story tailored to the situation. This could be based on LinkedIn research, mapping of the organizational structure, or detecting key employees with outstanding access to resources, etc.
- Smooth operators: attackers eagerly recruit proficient speakers or skilled social engineering experts to make the calls. Based on the call transcriptions obtained, when the speaker is not an experienced attacker, a tailored script is written for each operation in advance, including various replies for multiple scenarios.
- Phone infrastructure: attackers could use land line or wireless (mobile) phone lines. They could also use Voice over IP, requiring a VoIP server. When using phone lines, it is assumed that the attackers change the phone number on a regular basis, to avoid being classified as a source of fraudulent calls. When using IP phones, attackers could use VoIP lines obtained illegally.
Protecting against Vishing scams
Unless you are absolutely certain that you know who you are really speaking with, never give out personal information over the phone, especially payment-related details. Also:
- If you are uncertain about the identity of the caller, ask for their number and call them back. While still on the phone, verify the authenticity of the person online if possible.
- Never agree to conduct wire transfers or virtual payments to callers you do not know
- Knowledge and education are key. The more alert you are to these types of scams, the less likely you are to fall victim to them.
- Hanging up on suspicious or unverified calls is never a rude or bad habit.
- Make it a point to report suspected calls or fraud attempts to your bank (or finance institution implicated) as soon as possible.
After investigating these vishing attacks, Check Point researchers believe vishing is making a comeback. Attackers are using vishing phone calls as part of a sophisticated attack chain to overcome security hurdles such as two-factor /multi-factor verification, and as a complementary phishing step to a broader deception scam.