Why vishing is the new phishing and how to guard against it [Q&A]
We're all familiar with the menace of phishing but, particularly following the recent Twitter attack, other methods of stealing credentials have been on the rise.
These include 'smishing' (phishing via SMS) and 'vishing' (phishing by voice call). We spoke to Ed Bishop, CTO at email security company Tessian to find out how businesses can identify vishing and smishing attacks, how the attacks work, and how companies can protect their employees.
BN: Why are these types of attacks on the increase?
EB: Attackers are always looking for ways to bypass security defenses and trick people into carrying out their malicious requests. Vishing and smishing attacks are two types of social engineering attacks that do this effectively, and that's why we see the number of incidents increasing. For example, the victim of a vishing attack will receive a phone call from a scammer, pretending to be a trusted person who's attempting to elicit personal information such as credit card or login details. Hackers use a range of advanced techniques such as faking caller ID and using synthetic speech to trick their targets. As the saying goes, seeing -- or hearing -- is believing. If you receive a call from someone pretending to be a senior figure in your company, why would you ignore or question it?
Cybercriminals have certainly exploited the remote-working arrangements throughout the COVID-19 pandemic to advance their vishing and smishing campaigns. In fact, the FBI and CISA issued a statement warning businesses about an ongoing vishing campaign whereby hackers spoof login pages for corporate VPNs, to steal employees' credentials and access personal information about the employees. The attackers, then, use unattributed VoIP numbers to call their targets on their personal mobile phones. Posing as IT helpdesk agents, and using a fake verification process using stolen credentials, they can gain the employee's trust. The problem is that it's more difficult for an employee to physically and quickly verify the request with a person in the office, for example.
Given that these attack methods are more targeted and more sophisticated than a generic phishing email, they’re difficult for people to detect and can be very successful. Once their target has shared login details over the phone, hackers can access the company's networks and systems to cause serious damage.
BN: Are some kinds of organizations particular targets?
EB: Any organization that manages sensitive information is susceptible and a target for attack, but there are certain industries that are at higher risk than others like healthcare/pharmaceuticals, education and manufacturing. Bad actors often impersonate large trusted consumer brands due to the amount of email communications with their customers. People should be suspicious of any type of email or call asking that they confirm their credit card details, home address or password. We are also seeing hackers adjusting their tactics based on current events, and in the era of COVID-19 and work from home, many hackers are using Zoom to launch email attacks on unsuspecting employees.
BN: What are some of the clues that a call may not be all that it seems?
EB: Today's vishing and smishing attacks are becoming more sophisticated, but there are certain questions to consider to determine if it's legit or not. For example, does the call or text use fear to prompt a response (like late to a meeting, late payment or fraudulent activity)? Does the caller use a specific name or company when identifying themselves? Do you recognize the number or area code? Also keep in a mind that a legitimate company or its employees would not be calling you out of the blue to ask about credit card details, for example. If they send a text message, take a close look at the link as well; bad actors will often shorten the URL so the recipient can't see the link they are being led to.
BN: What should you do if you suspect that a call or text isn’t genuine?
EB: If you receive a suspicious message, the first rule is: don't respond. If a text or email requests that you follow a link -- or if it’s a phone call asking you to divulge information -- ignore it, at least until you've confirmed whether or not it's legitimate. Make sure that you're always verifying requests with the person directly. You can do this by asking them something only they would know to verify their identity, or by calling them on the phone directly, which is especially important if a message appears to be from a trusted institution. For example, if a message appears to be from your phone provider, search for its customer service number online and discuss the request directly with the operator.
If you receive a vishing or smishing message on a work device, report it to your IT or security team. If you're on a personal device, you should report significant attacks to the relevant authorities in your country, such as the Federal Communications Commission (FCC) in the US or Information Commissioner's Office (ICO) in the UK.
BN: Is training in identifying threats key to fighting the problem?
EB: Education and awareness for employees across the entire organization is really important. While people can find resources online, employers should be providing all employees with IT security training, which is actually a requirement of data security laws, such as the General Data Protection Regulation (GDPR) and the New York SHIELD Act.
But training is only half the battle. We can’t expect employees to get it right 100 percent of the time, and -- as we learned in a previous Tessian survey -- it only takes one mistake to permanently damage a company’s reputation and relationships. That's why we need to prioritize and protect employees. The only realistic way to mitigate this growing risk is through a combination of training, awareness and technology that can detect social engineering scams and warn people of the threat.