What You Need To Know About Voice-Based Phishing

Telework has become imperative for businesses to maintain themselves right now, as remote work became a hard and fast requirement in the face of the coronavirus. Nevertheless, if businesses aren’t careful, they could trade one problem for another in exposing themselves to security threats.

Let’s discuss one threat that many are facing: voice-based phishing, or vishing.

Federal Agencies Have Sounded the Alarm

Both the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have called attention to this type of phishing. By calling a targeted victim, rather than sending an email or another kind of correspondence, an attacker can potentially pull the wool over their target’s eyes by using a less-expected attack strategy.

Those who are working from home are being targeted by a vishing campaign intended to acquire the access credentials needed to get into corporate networks. Once these credentials are obtained, the cybercriminals responsible can turn around and sell this access to others for their malicious use.

How These Attacks Are Presenting Themselves

By registering lookalike domains to pose as a company’s actual resources, cybercriminals set themselves up to steal company credentials. These domains can be very convincing, often structured in the following ways:

• support-[company]
• ticket [company]
• employee-[company]
• [company]-support

As these pages replicate a company’s login page to their virtual private network, unwitting users are more likely to enter their credentials. This means that the attacker is then able to capture these credentials—including multi-factor authentication codes—and use them to gain access to the targeted business’ network.

Once these facsimile pages are completed, criminals then dig into a company to learn more about their workers. A profile is created, with the name, address, phone number, job title, and even length of employment for each employee included. Using this data, a hacker can call their target through a spoofed number and send them to their fraudulent VPN webpage.

This gives the hacker the means to access an employee’s work account, allowing them to collect more data for further phishing efforts or other data theft efforts. These attacks are now being directed to the team members that are currently working from home, making it even more important for your employees to be able to recognize the signs of phishing.

How to Identify Phishing Scams of All Kinds

• Exercise caution when dealing with unsolicited calls, voicemails, and any other messages from those you don’t know. If you can, double-check that the person is who they claim to be through another means of communication.
• Double-check the number of a suspected vishing caller, as well as any Internet domains you may be told to navigate to.
• Avoid visiting any websites that a caller recommends without good reason to trust their legitimacy.

Macro Systems is here to help you with an assortment of your business’ IT needs and concerns, including your cybersecurity. Give us a call at 703-359-9211 to learn about the services and solutions we can put in place on your behalf.