Suppose cybercriminals want to gain access to your data. In that case, they’ll find a way, which is why it’s so critical for you to remain vigilant, especially during the COVID-19 pandemic. They’re dedicated and ruthless, and their methods are becoming more sophisticated by the day. While federal agencies have been warning businesses for many years about all different types of scams, one cyberattack campaign has recently caught federal authorities’ attention.
As people turned to remote work during the COVID-19 pandemic, cybercriminals took advantage immediately. For example, phishing attacks increased by 30 percent, according to a Google report published in March 2020. And the bad news for us all is that malicious actors aren’t done with their deploying attacks on unsuspected targets.
Most people have probably heard of phishing but not vishing. The latter is a type of the former. With vishing, scammers use the phone to “phish” for account numbers, passwords, or financial details, which scammers would then use for financial gain.
When working remotely, many employees use virtual private networks (VPNs) to access corporate networks. While a VPN is supposed to add a layer of security to a company’s network, it also allows cybercriminals to get creative.
For example, one vishing campaign has recently caught the attention of the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). “The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate VPN and elimination of in-person verification, which can partially explain the success of this campaign,” according to an alert issued by both agencies in August 2020. In this particular scam, a cybercriminal obtains account credentials by doing a little research, coding a page or two, and posing as a technician from a company’s IT help desk.
How the scheme works is relatively simple. Posing as an IT help desk technician, the scammer uses an unattributed voice over internet protocol (VoIP) number to contact a company’s employee (the target) about a new VPN link. Having done some research on the target ahead of time (by compiling publicly available information, including social media accounts, background check services, etc.), the malicious actor convinces the employee on the other end of the line to visit a new VPN page (one that’s a fake). Not knowing the scammer has duplicated the page, the employee then inputs login credentials and more.
And, just like that, the cybercriminal gains access.
One of the best ways to combat phishing attempts is to educate your employees about the common signs of vishing. For example, your employees should be on the lookout for web links with misspellings. Frequently, a domain is off by a letter or two.
Your employees should also be suspicious of any unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. If something doesn’t seem right, the best thing for an employee to do is to hang up the phone, search for the number of the organization the caller was claiming to be from and call it.
While vishing attacks aren’t anything new, they’re becoming more sophisticated. Educate your employees on how they can prevent vishing attacks before your data and sensitive information is stolen.