Shock Increase in Phishing Threats via Smartphone
As American companies have shifted to a work-from-home model in 2020, cyber-criminals have shifted their methods to specifically target companies through their workers. That’s according to a joint warning issued by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) in August. Whereas phishing attacks are still extremely common, the FBI says that cyber-criminals are shifting to more specific “vishing” attacks in 2020.
What is Vishing?
Vishing is basically “voice phishing,” using the intended victim’s smartphone number. Scammers will call or send a text message to work-from-home employees that appears to come from the company they work for.
“It’s easy for them to spoof caller ID,” says Luis Alvarez, CEO of Alvarez Technology Group. “There’s a lot of legitimate services out there for that, so they’re using those for illegitimate purposes.”
Alvarez notes that “vishing” cyber-criminals “Capture employee information and then try to get those employees to do something like give them credentials or give them access.”
The FBI/CISA Warning
The FBI and CISA are warning that vishing scammers first set up a spoofed website that looks similar to the one the employees work for. The URL for the spoofed site will often have a hyphen in it, or include words like “employee,” “help-ticket,” or “support.” If an unsuspecting employee enters their log-in credentials on the vishing site, the crooks suddenly have access.
Protecting against Vishing Attacks
Alvarez says that employee awareness is the first step in stopping vishing attacks in their tracks. “Just because you get a phone call that says, ‘Hey, this is coming from my office,’ if it sounds suspicious, hang up and call in yourself to make sure it’s legit.”
The FBI/CISA warning adds that companies can take additional measures such as restricting VPN access solely to managed devices, and restricting access during certain hours. Companies are also encouraged to establish a formalized authentication process for employee-to-employee calls, especially in companies with large amounts of employees who don’t know each other.
The FBI adds that if an employee receives a vishing call, they should note the phone number and domain used so that information can be relayed to law enforcement.