Why “Vishing” is the Bad Word of the Week

This new wrinkle in cybercrime can create a target for your enterprise. Follow these six tips to avoid falling victim.

As if these times weren’t sufficiently challenging without creative criminals, it’s time for the introduction of a new bad word/cybercrime called –vishing. Late last week, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued an advisory to address a new wrinkle in cybercrime—that of vishing—a problem that has been exacerbated by the large number of people who are working remotely in the COVID-19 environment. 

Entitled “Cyber Criminals Take Advantage of Increased Telework through Vishing Campaign,” the law enforcement agencies took this step to warn enterprises of the increased presence of voice phishing or vishing activities. These have significantly as ever-larger numbers of employees have been working from remote locations. Specifically, vishing is defined as “any message—such as an email, text, phone call, or direct-chat message—that appears to be from a trusted source, but isn’t,” according to the Norton definition. 

The goal of the sophisticated cybercriminals behind this relatively new twist is to get access to enterprise-sensitive information and then sell that access. With just enough knowledge gained from what the advisory calls “mass scraping of public profiles on social media platforms” to target potential soft targets, these cyber crooks get to work. 

As is well known in the security world, employees are often the most vulnerable and valuable target for those who wish to perpetrate fraud against a single enterprise. Let alone giant enterprises. For those on a “vishing expedition,” they are the definition of a prime catch. 

Prior to contacting enterprise insiders, cybercriminals have created fake profiles and spoofed numbers, so that when these masqueraders reach out and touch unsuspecting employees, those initiating the call look legit. That is, to any reasonable employee or contractor. When a call from Ms. X from the enterprise security office comes in (often over a VoIP-based configuration where a number can be spoofed without great hardship), it’s l normally answered. Once the bad guy, masquerading as the good guy, reaches the target recipient, he or she poses carefully scripted questions to the call recipient. As a result, once the caller seems legit, otherwise unsuspecting employees have disclosed seemingly appropriate—but sensitive—information to the bad guys (keywords here are “seem” and “seemingly”). 

Employees and authorized contractors—particularly those new to the enterprise—are often directly targeted because they have less knowledge about the organization, its inner workings and security practices, and are thus more likely to fall for what seems real. Currently, since many of these employees are working remotely, there is a greater risk that additional security protocols that exist in the actual workplace do not exist at home. 

In a particularly brazen (and slimy IMHO) move, according to a recent article from former Washington Post reporter and security expert Brian Krebs (see Krebs on Security), a subgroup of “vishermen” is offering to go one step beyond. That is, this group is marketing a service that offers to take information obtained from one-on-one phone calls and combine it with knowledge culled from highly sophisticated phishing sites to actually “steal VPN credentials from employees.” Further, it can pay bounties for such information, and has been used by enterprises—including some very large and well-known entities—to obtain valuable information from competitors’ employees. Thus far, the industries targeted have been financial, telecommunications and social media companies, but like a contagious illness, this technique is likely to spread. 

With these risks heightened by the pandemic, enterprises are well-advised to make sure that employees, contractors, and guests understand in-house security policies, particularly concerning seemingly random contact from the outside. Additionally, many enterprises have taken the step of periodically sending out test phishing or vishing messages to employees to check their compliance and readiness to respond or not as appropriate. 

Also, the FBI/CISA Cybersecurity Advisory issued jointly last week includes a number of recommendations for end users to consider the following six tips in this environment:

1. Verify that web links do not have misspellings or contain the wrong domain name.
2. Bookmark the correct corporate VPN URL and avoid alternative URLs simply because a caller who sounds legit suggests one.
3. Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from what appears to be a legitimate organization. Do not provide personal or enterprise information, including its structure or networks, unless you can be sure of the caller’s authority to give them access. If you’re unsure, verify the caller’s information with the company itself.
4. If you receive a vishing call, document the phone number as well as the domain that the caller or contactor tried to send and relay this information to law enforcement ASAP.
5. Limit the amount of personal information posted on social networking sites. How many times have you seen this warning?
6. Evaluate security and privacy settings to make sure that the choices in place remain appropriate.

As always, the best advice is to be ever-vigilant about privacy and in-house data security issues. The bad guys are coming at it from all angles, and the best defense, in this case, is good planning and ongoing monitoring. For additional tips and suggestions on avoiding social engineering and phishing attacks, see this related article, “Avoiding Social Engineering and Phishing Attacks.”

September 16, 2019

As No Jitter contributor Joyce Osenbaugh noted earlier this year, telecom fraud is on the rise. The Communications Fraud Control Association (CFCA)’s annual survey of telecom fraud noted 2018 losses amounted to around $28 billion. While that’s down a bit over the last few years, bad actors can still attack enterprise phone systems by fraudulent means…

February 7, 2019

Phone number spoofing is a known problem, one that has been around for years and addressable via solutions from companies such as Pindrop that help determine the probability that the caller’s number is legitimate. Through white and black lists of phone numbers, testing network delay, and other audio heuristics, the confidence rates are in the high 90s. For instance, if a call comes in from a U.S. area code, but the network delay is longer than 100 milliseconds, then odds are high that the caller is really overseas.

This technology is beneficial in contact centers. Enterprise call centers deploy this technology to reduce the number of security questions they must ask, in turn reducing the average call handle time and providing a better caller experience.

A newer problem, thanks to artificial intelligence (AI) in the speech world, is voice spoofing…

February 6, 2019

A week and a half ago, my 92-year-old father received a call from his eldest granddaughter. “Hi Grandpa, how are you feeling?” she asked. He responded that he was doing well, and that his most recent doctor appointments had gone as expected. “Was there any new news after your last hospitalization?” she went on to inquire. “No, it is the same situation, but look, I am 92 years old, so these things are to be expected. How are you doing?” Then the conversation shifted.

She shared that she had been arrested for speeding, and that while the police were willing to release her, she needed money to pay the ticket before they would do so. “I’m really in trouble, Grandpa. Can you help me out? I need $750 sent right away.” Having been well prepped in telephone security and scams by his daughter (me!), he then asked “Kelly, what authorities pulled you over?” She shared that she was in Iowa and that a local constabulary had her in their offices. He immediately hung up. He has no granddaughter named Kelly.

September 26, 2018

As you’re driving into work, you witness a horrific crash in the lane next to you. Quickly, you grab your cell phone and dial 911. Expecting to hear the 911 call center, you’re confused by the busy signal you receive instead. Assuming you misdialed, you quickly press end, and redial. Again, a busy signal. And suddenly you are paralyzed, not certain what to do or how to get the help you need…

April 9, 2018

Enterprise Connect 2018 is officially behind us, a week jam-packed with product news delivered from a host of the 190+ exhibitors on the show floor.

While some of the industry’s heavy hitters shared their messages from the main stage (like Microsoft’s updates to its Teams ecosystem and 8×8’s blended UC and contact center offering), plenty of other announcements warrant attention, too. Because, as EC18 GM Eric Krapf wrote on No Jitter last week, “there’s not much in our industry today that can’t be considered a hot technology.” With that in mind, here’s a roundup of some of the news coming out of EC18…

June 16, 2017

VoIP users have access to the caller ID field, and it can be set to whatever they want. This is a key advantage to those perpetrating fraud since they don’t need many technical skills to make this work. Fraud perpetrators have developed software to reset PINs and access accounts and IVR systems. This is called call center fraud.

Call center fraud has increased 113% from 2015 to 2016, according to the “Pindrop 2017 Call Centre Fraud Report.” This report prompted me to contact Pindrop’s David Dewey, Director of Research, who replied to a series of questions…

March 2, 2017

Enterprises must work hand in hand with UCaaS providers to ensure strong end-to-end security of communications delivered from the cloud.

It’s no secret that companies continue to move their enterprise communications — including phone and collaborative messaging applications — to the cloud at a rapid clip…

November 11, 2016

In a denial-of-service (DoS) attack, the goal is to make a resource unavailable to its intended users, usually in a temporary interruption or suspension of services. DoS attacks are well known in data systems and networks, but can also happen to a telecom system or network.