September 28, 2020

Are You a Target of Vishing Scams? Find Out and Protect Yourself.

By Matt Grimes, Penetration Tester, Marcum Technology

Are You a Target of Vishing Scams? Find Out and Protect Yourself. Cybersecurity & Digital Forensics

With the uptick in working-from-home due to COVID-19, malicious actors have seized the opportunity to exploit the rapid shift and target employees working off-premise and, in many cases, off the corporate network. This has led the Federal Bureau of Investigation (FBI), the US Cybersecurity and Infrastructure Security Agency (CISA) and other authorities to release alerts regarding the prevalence of vishing attacks, using the phone as an attack vector to collect sensitive information and install malicious software.

Vishing is a lesser-anticipated, and less publicized, form of social engineering, a combination of the words “voice” and “phishing.” Social engineering is synonymous with the cons, scams, and other malicious activities designed to coerce a target to perform actions they would not normally undertake, such as downloading malicious software, giving up sensitive information, or, inappropriately transferring money.

According to the Joint Cybersecurity Advisory A20-233A, the FBI and CISA warn that recent attacks included malicious actors calling employees on their personal devices in order to impersonate the employer’s IT help desk. Information for these attacks, in many cases, were collected through social media platforms and other publicly available sources. The employee/victim is then directed to a fraudulent URL controlled by the attacker containing the name of the employer (e.g., www.[employername]-itsupport.com). The attacker then prompts the victim to take action, such as entering credentials, collecting/bypassing any two-factor authentication in place, or downloading malicious software in order to compromise the organization’s network.

Targets for vishing campaigns include organizational funds, employee credentials, and IT assets, resources, or data. Attackers succeed by defining very well crafted and tested scenarios to pray on a multi-dimensional set of human emotional and trust factors in order to evade your “suspicion radar.” Knowing many employees are at home contending with the new complexities of working remotely dealing with technical support issues and more frequently taking calls on mobile devices, attackers have an entirely new set of conditions to leverage for nefarious purposes.

Basic steps that can be taken to improve the security posture of a remote workforce, reduce the risk of a human error, and mitigate the impact should an incident occur include the following:

  1. Utilize VPNs and ensure employees use and bookmark correct VPN gateway URLs to prevent being tricked by fraudulent URLs.
  2. Ensure accuracy and completeness of IT security and remote access policies.
  3. Employ regular security awareness training for all personnel to create a robust security culture that aligns with the organizational mission.
  4. Consider training and policy in regards to social media usage to bolster operational security.
  5. Implement endpoint security protection on computing assets.
  6. Assess BYOD / employee device access to key resources.
  7. Inventory use of cloud / software as a service solutions and data risk.
  8. Develop an incident response plan and identify an incident response / data forensic partner.
  9. Monitor for weak or stolen credentials in use.
  10. Implement single sign on and multi-factor authentication solutions, and provide guidance on how to use the solutions to reduce confusion.

These actions, individually or collectively, will enable and empower personnel to operate confidently in the context of today’s current threat landscape. Cybercriminals, nation-state actors and other nefarious organizations work around the clock, are well organized, and employ a myriad of tactics, techniques and procedures (TTPs) to exploit targets for monetary gain. Organizations should ensure their people are equipped to recognize when they are being targeted.

Defending against these types of attacks can be difficult, as the latest security technologies can often be circumvented by human error. It is often said that the human element is the weakest link in organizational security, but with exercise and regular training, the weakest link can become its strongest.

Marcum Technology provides full-service cybersecurity consulting, including emulating the latest attack scenarios as seen in the wild, and providing training to better equip organizational personnel to recognize and counter threats. For more information on these scams and the latest in cyber news, visit the CISA.gov website, or feel free to reach out to Marcum Technology’s experts to discuss how to better protect yourself, your employees, and your organization.

To learn more about Marcum Technology cybersecurity consulting services or any of our other technology consulting solutions, contact us at 800.331.6546 or by email at [email protected].

Coronavirus Resource Center

Have more questions about the impact of the coronavirus on your business? Visit Marcum’s Coronavirus Resource Center for up-to-date information.