If the coronavirus pandemic was a lemon, then vishing is a cyberattacker’s latest approach to making lemonade. On August 20, the Federal Bureau of Investigation (FBI) issued a warning about the rise in vishing attacks. In a joint advisory with the Cybersecurity and Infrastructure Security Agency (CISA), the two agencies cautioned organizations of financially-motivated vishing attacks that operate with high efficiency and tight timelines.
As most of us continue to work away from the office, we’re using our smartphones and tablets a lot more to stay productive. Unlike a company-issued laptop, mobile devices rarely have anti-phishing or anti-malware installed. In addition, they connect via cellular or our home Wi-Fi network, so they don’t receive protection from corporate virtual private networks (VPN).
The FBI warning indicates that cybercriminals are using a new technique, vishing, to exploit the lack of mobile-device protection. This is in addition to the 37% spike in mobile phishing during the three months of 2020 that Lookout reported earlier this year.
What’s the deal with vishing?
Vishing, or voice phishing, is also known as phone spear phishing and is a form of phishing where attackers trick you into giving up your credentials over the phone. This was the tactic used by a 17-year old from Florida who was able to find his way into the Twitter infrastructure and carry out a bitcoin scam with high-profile accounts. And Twitter is not alone. According to WIRED, vishing has been on the rise since the Twitter breach in July.
A challenge with preventing vishing is that it uses Voice over IP, or VoIP. This enables attackers to spoof their phone numbers and pretend to be a member of your organization calling from a familiar phone number.
By using information scraped from the internet – such as social media platforms – the attackers can socially engineer their way into your infrastructure. Since vishing relies on human judgement, security measures such as VPN, multifactor authentication or one-time passwords are not able to prevent attacks.
It’s not different from any other phishing attack
Vishing might take social engineering to the next level, but the attack chain to access your corporate data remains familiar. At the end of the day, the goal is still to convince the target to enter their login credentials on a fake phishing website. My advice to you remains the same – ensure your workers are educated about what mobile-targeted phishing attacks look like and have proper mobile security in place.
On the training side, make sure your employees understand why phishing is so much harder to identify on a mobile device. For one, attackers can hide their true identity by taking advantage of VoIP phone numbers or the simplified design of a messaging app. It also doesn’t help that email is no longer the only way you can get phished. In addition to vishing calls, your employees can now get phishing messages from countless mobile apps, such as WhatsApp, Signal or Facebook Messenger.
On the protection side, ensure you have a modern mobile security solution in place. A comprehensive security will not only be able to protect both personal and corporate-owned devices, but it understands the characteristics of an attack and can automatically detect them.
To learn more about how to properly protect your organization, be sure to visit our phishing page for more information.