The rise of vishing and why enterprises need to be ready [Q&A]

Vishing (voice phishing) attacks have surged by over 1,600 percent so far this year, partly driven by a rise in AI-driven deepfake voice scams.

This is yet another way cybercriminals are seeking to impersonate those with access to company systems to disrupt organizations and hold data for ransom. We spoke to Anthony Cusimano, solutions director at Object First, to discover more about this trend and how businesses are at risk.

BN: What’s driving the increase in vishing attacks, and how are tactics changing?

AC: AI has made sophisticated cyberattacks easier and faster for even inexperienced cybercriminals. Vishing, in particular, is becoming more popular because it avoids the expected preventative cybersecurity measures and email filters that traditional phishing attempts must deal with. It also targets employees’ mobile devices, which often do not have the same security features in place as company-issued computers.

BN: How are deepfakes being used in this context?

AC: Deepfakes are being used to mimic voices, impersonating a trusted individual like a coworker or a decision maker to convince the victim to reveal personal or protected company information, such as passwords or banking numbers. Audio deepfakes can also be used to impersonate an IT help desk, for example, to persuade the employee to hand over remote access to their devices to the caller. Outside the enterprise, cybercriminals use deepfakes to disguise their voice, mask their face, or create an entire persona to sound and look more trusting or replicate an important individual, from customer service personnel to a bank clerk to a relative to a CEO.

BN: Are some kinds of organizations more at risk than others?

AC: While some businesses are more valuable targets because they hold sensitive data or are a high-profile company, ultimately, all organizations, no matter the size or industry, are vulnerable to these types of attacks. AI allows cybercriminals to cast a wide net with their attacks, targeting different employees and organizations simultaneously until they find a crack to exploit. A single compromised password, an unprotected backup, or a phishing attack on a personal device can lead to a large-scale breach of an organization. They’re out to exploit the weakest entry point, and once they are in, they use every trick in the book to expand their attacks and capture as much information as possible.

However, organizations that do not follow security best practices will face more risk than their more secure peers. Just like how phishing emails purposely contain spelling errors to weed out security-savvy recipients, cybercriminals will exploit an untrained employee who does not follow proper cybersecurity practices, such as MFA, biometrics, and verification processes. Organizations that are known to have lackluster security measures will continue to be top targets.

BN: How can businesses adapt to this new threat landscape?

AC: There’s no sugar-coating it. In today’s threat landscape, proactive measures are not enough; companies must now assume breach and prepare for recovery. According to a recent survey of IT decision makers from Enterprise Strategy Group, almost every organization (96 percent) that experienced a ransomware attack in the past two years had backup data targeted. Forty-nine percent of those organizations took up to five business days to recover, and most did not recover the entirety of their data. That kind of impact can cripple a business, financially and reputationally.

The only way to ensure resilience after an attack is to make sure backed up data cannot be modified or deleted, by anyone, no matter what. This is done through a concept called immutability, which is widely touted by tech vendors but not as often truly delivered.

BN: What is 'immutability' and why is it important in this context?

AC: At its core, immutability ensures data cannot be altered or deleted once it has been recorded, providing a fool proof means of securing backup data, if done correctly. While simple in theory, immutability can be complex to implement in practice. For backup storage to truly be immutable, it must be impossible for anyone -- including storage admins (even those with the highest privileges), vendors, or attackers -- to alter, delete, or corrupt the data either maliciously or accidentally.

To meet this high bar, IT organizations need to re-architect their backup environments around the same Zero Trust principles that are now a commonly accepted best practice in broader IT environments. In the context of data protection, a Zero Trust approach operates under the assumption that all credentials will eventually be compromised, and authentication alone is not enough. Especially with vishing attacks, which utilize the impersonation of authenticated individuals, a Zero Access model is required to ensure immutability. As its name suggests, Zero Access goes a step further than Least Privilege Access by removing all access, including privileges like firmware-level or operating system-level access and the ability to perform factory resets.

Cyberattacks, especially those targeting data, are unfortunately no longer an anomaly and are becoming scarier by the day -- vishing being just one of the latest developments. Immutability and Zero Trust can help organizations adapt to the rise of these attacks by prioritizing resiliency.

Image credit: Parin Kiratiatthakun/Dreamstime.com