Phishing scam uses voice calls to ‘trick’ enterprise employees
Feb 1, 2021 • Human Resources Director
Your employees could fall prey to this social engineering attack on the rise
Calling up your colleagues directly has long been one of the most trusted methods of verifying a transaction request at work. If an email from a co-worker asking for sensitive data seems suspicious, the recipient should first double-check with the sender and seek clearance from senior team members by phone before even considering any request.
However, as investigators recently found, criminals are banding together and devising clever ways to manipulate even this tried-and-tested process. Hackers would allegedly call up employees directly in an attempt to mimic their colleagues and, from there, steal corporate or personal data by making the request appear legitimate. This social engineering attack is called voice phishing or “vishing”.
Last month, the US Federal Bureau of Investigation issued an advisory to employers worldwide about the latest tactic that evolved from email phishing attacks. Phishing scams typically lure recipients into clicking a malicious link, downloading a malicious file, or entering login credentials into a fake portal for criminals to capture the data and gain access to the employer’s network.
Vishing, on the other hand, doesn’t just rely on emails or text messages. Criminals have been going the extra mile by impersonating real employees during an actual voice call.
“During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password,” the FBI said.
After using the stolen credentials to break into the network, the attackers allegedly discovered they could further adjust the security privileges of other accounts. This gave them deeper access into the system and a greater chance of dealing “significant financial damage” on the company, the FBI said.
In another incident, hackers targeted a specific employee through the company’s VoIP/chat service and convinced the employee to enter their login details into a fake private network set up by the criminals. This led to a string of attacks against employees with “higher privileges,” the FBI said.
“The cyber criminals were looking for employees who could perform username and email changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee’s login credentials,” investigators reported.
How can employers prevent vishing attacks? The FBI recommends the following methods:
- Use multi-factor authentication (MFA) which requires additional access codes or even biometric scans before granting access to the company’s computer system
- Give new employees restricted access and establish a tiered privilege system based on an employee’s role, i.e. scope and sensitivity of data required for their tasks
- Conduct a regular check of which employees have access to which data
- Actively perform a network scan to detect possible breaches
- Segment your network into one large network and multiple smaller networks to monitor data flow better
- Provide administrators with two accounts: one with admin privileges for modifying the system and another for sending emails, deploying updates and generating reports