In the News
Phishing scam uses voice calls to ‘trick’ enterprise employees
Feb 1, 2021 Human Resources Director
Calling up your colleagues directly has long been one of the most trusted methods of verifying a transaction request at work. If an email from a co-worker asking for sensitive data seems suspicious, the recipient should first double-check with the sender and seek clearance from senior team members by phone before even considering any request.
However, as investigators recently found, criminals are banding together and devising clever ways to manipulate even this tried-and-tested process. Hackers would allegedly call up employees directly in an attempt to mimic their colleagues and, from there, steal corporate or personal data by making the request appear legitimate. This social engineering attack is called voice phishing or “vishing”.
Last month, the US Federal Bureau of Investigation issued an advisory to employers worldwide about the latest tactic that evolved from email phishing attacks. Phishing scams typically lure recipients into clicking a malicious link, downloading a malicious file, or entering login credentials into a fake portal for criminals to capture the data and gain access to the employer’s network.
Vishing, on the other hand, doesn’t just rely on emails or text messages. Criminals have been going the extra mile by impersonating real employees during an actual voice call.
“During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password,” the FBI said.
After using the stolen credentials to break into the network, the attackers allegedly discovered they could further adjust the security privileges of other accounts. This gave them deeper access into the system and a greater chance of dealing “significant financial damage” on the company, the FBI said.
In another incident, hackers targeted a specific employee through the company’s VoIP/chat service and convinced the employee to enter their login details into a fake private network set up by the criminals. This led to a string of attacks against employees with “higher privileges,” the FBI said.
“The cyber criminals were looking for employees who could perform username and email changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee’s login credentials,” investigators reported.
How can employers prevent vishing attacks? The FBI recommends the following methods: