Feds Warn of Vishing Threat

Friday, September 4, 2020

Some people say you should never waste a crisis. That certainly seems to be true for the COVID-19 pandemic, which has resulted in a shift to increased working from home.

The pandemic has made it easier for threat actors to take advantage of lax security practices and less in-person verification. In response to a new voice phishing campaign, commonly called “vishing,” the FBI and Cybersecurity and Infrastructure Security Agency recently issued a joint cybersecurity advisory.

Vishing usually involves threat actors collecting public information about people through a variety of sources, such as social media platforms, recruiter and marketing tools, and other publicly available services. Collected information about a person often includes name, address, phone numbers, employer, job position and duration of employment at a company.

Using publicly collected information, the actors then call targeted employees, sometimes using spoofed numbers of other offices and employees in the victim’s company to appear legitimate.

The attackers will use social engineering techniques, such as posing as help desk or IT personnel and using personal knowledge about the victim to gain trust.

The goal of this deception is to convince the victim to divulge sensitive information or to log in to a site (that might appear legitimate) with valid account credentials. When the victim accesses the site with their credentials, the attacker can then log that information and use it to gain access to other information or resources with the employee’s account or to fraudulently obtain funds.

So, what can you do?

One of the best defenses against this type of attack is multi-factor authentication with physical security keys.

This method of authentication requires a user to have a physical device, in addition to their username and password to access a system. Multi-factor authentication, however, is not widely used, so organizations still need to:

  • Focus on employing the principle of least privilege (i.e., allowing only the amount of access needed for users and systems)
  • Restricting what can be installed on devices
  • Actively monitoring for anomalous activities

Along with these technical controls, organizations need to continuously raise awareness among staff on how to spot and respond to social engineering attempts. They need to make security awareness and training an integral part of their operations and consider periodically sending test phishing messages to their employees to gauge their awareness levels in a safe environment.

The FBI and CISA suggest the following tips:

  • Verify that weblinks do not have misspellings or contain the wrong domain.
  • Bookmark the correct work/business URLs and do not visit alternative URLs on the sole basis of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the organization.
  • If you receive a vishing call, document the caller's phone number as well as the website the caller tried to send you, and report it using your organization’s procedures.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate security and privacy settings for all social networking accounts. Sites change their options periodically. Review them regularly to make sure your choices are still appropriate.

For more information on how to stay safe on social networking sites and to avoid social engineering and phishing attacks, visit the CISA Security Tips below: