Vishing At The Ritz: There’s A New Type Of Cybercrime In Town
Oct 1, 2020 • Forbes
There’s another clever fraud tactic to add to your library of security threats. Imagine a call or voice message that appears to come from a trusted source but is really a disguised attempt to compromise your identity, credentials or financial information. More of a social engineering scheme than a vulnerability, “vishing” is a highly effective and targeted form of phishing that uses voice as a means to lure victims into disclosing private information.
A recent data breach at the Ritz in London that evolved into vishing attacks on hotel guests demonstrates how conniving cybercriminals have become in this social engineering scam. The prominence of the Ritz attack, among other high-profile events, indicates that the phishing attack landscape has grown as remote working has taken hold of company environments. At $3000 a night, the Ritz customers fit a certain socio-economic profile; hence, the voice messages were highly targeted and well-choreographed. The attackers went after business clientele for credit card details and information, impersonating the Ritz. According to Digital Trends, one target was convinced by the ruse because the incoming phone number was spoofed to appear as the hotel’s actual number.
Hotels are a perfect target for cyberattacks. Not only are there many vulnerabilities that come with managing hundreds of new customers each day, but hotels have access to a massive amount of customer personal data. In the Ritz case, the vishing attack was so effective because they don’t train customers about what calls to expect regarding their patronage in their normal course of business.
Beyond Email: The Hacker Game Has Changed
Users have gotten reasonably good at spotting scam emails, and popular email systems help detect these efforts’ email items. However, email is not the only game in town. Scammers now exploit social media networks, online file-sharing systems, messaging platforms and applications and phone systems. Compared to email, these channels of opportunity are highly personalized and focused on sharing.
Scammers also leverage sophisticated and ready-to-launch phishing kits, including social, voice, email and enterprise channels. With a bit of time and dedication, an attacker can choose the target(s) of choice, mimicking login portals, official company pages and web pages. The threat condition here is now a scaled, repeatable and convincing operation. Armed with any available ill-gotten or publicly sourced data, the results can be disastrous.
Vishing Exploits Trust
You might recognize the low-level, even common criminal vishing attacks that consist of phony tech support staff, purporting to be from Microsoft or Apple. In other well-known case types, scammers impersonate the Internal Revenue Service (IRS) or the local utility company under the threat of disconnection, severe penalties and, in some cases, jail. Although the label of vishing may be relatively new for most individuals, the tactic is familiar.
At an estimated yearly global loss approaching $50 billion, vishing and the sort of fraud that scammers leverage against the unsuspecting public is unacceptable. When launched against a company, the impact could be devastating in compromising:
- Data integrity
- Privileged and competitive data
- Financial payments
- Account integrity
Riding on the coattails of the first attacks, vishing hackers mount a nefarious second wave perfectly timed to hit victims where it already hurts.
Motivation and Human Opportunity
Phishing, vishing and various other forms of cyberattack continue to be driven by financial motivations. Data is valuable, trust is valuable and a converted target can pay dividends. To those ends, cybercriminals have developed increasingly sophisticated attacks, exploiting vulnerabilities and loopholes in technology, validations even flaws in how html language is exchanged.
Cybercrime threats are here to stay, and the situation appears to be getting worse as we let our guards down due to distractions related to the pandemic. The bottom line is that humans are vulnerable and gullible, and these attacks continue to work.
The Pandemic Effects
As many industries and workers took a hit during the pandemic, cyber threat actors thrived many opportunities following the shift to remote work. The lines between work and home are now blurred in many cases, wherein in some circumstances, corporate devices became personal tools and vice-versa.
Corporate applications now run on home networks. Video and dial-in conferencing are everywhere. A precarious security gap exists between what a company expects is happening in a data stream versus what is actually happening. Video games, shopping, streaming and mobile banking are all attack vectors and opportunities for cybercrime. These circumstances highlight the immediate need for heightened corporate cybersecurity and data protection practices, especially as opportunities to breach across audiences increases.