You’ve heard of phishing. But what about vishing?
Vishing, or voice phishing, is the use of phone calls to deceive individuals into offering sensitive data like passwords or financial information, according to Terranova Security. Through live phone calls, scammers are able to feign urgency and use social engineering to make the victim believe that there will be legal or professional repercussions if they do not take action.
While these attempts are popular among scammers looking to target vulnerable populations, like the elderly, there is a significant risk to enterprises because of the increase in remote employees over the last few years, according to Sean Gallagher, a security research engineer at Cisco Talos, a Cisco subsidiary focused on cybersecurity research and response.
Gallagher said that collaboration and videoconferencing platforms can allow bad actors to disguise themselves as someone in the company through filters or pretending to be an executive within the company. With AI at the forefront of IT operations (both criminal and legitimate), scammers can even apply voice-changing technology to present themselves more accurately as the person they are impersonating.
“This is the lowest-tech attack against organizations,” Gallagher said. “When we think about hackers, we think about people who have sophisticated technical skills that they use to exploit weaknesses in software in networks and to break in. We don’t think about phishing or vishing…as that sort of thing.”
How does it work? When an employee of a company receives a message request or incoming call from someone they believe is the CEO or another executive, they might hesitate to answer, but fear the repercussions if they ignore it.
Gallagher said an attacker could try to get an employee to give up a one-time password for a multi-factor authentication (MFA) system or allow access to an account or broader systems.
In some instances, a bad actor may carry out a ransomware attack by having someone allow them to remotely control their device, which could let the attacker gain entry to their credentials and access rights.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“If you can take control of a device where your [MFA] depends on simple messaging service, SMS messages, then you can, in theory, take over somebody’s multi-factor by cloning their phone,” Gallagher said.
Gallagher said he has seen attacks on a variety of voice and video platforms, including Microsoft Teams. He has also seen attempted scams on Slack, with attackers stealing a web token that gives them access to a company’s Slack channel, where they then attempt to pose as someone within the organization.
How to defend against it. A scammer who is utilizing this type of attack is generally “very persistent,” according to Gallagher. They’ve potentially researched their target, believing the payoff will be worth the effort.
Gallagher said that cybersecurity experts shouldn’t think of the perimeter as being email, the network firewall, or intrusion detection at the edge.
The first defense, instead, is education.
“The user is the most vulnerable piece of these things because these are specifically social-engineering attacks,” Gallagher said. “They’re designed to convince someone to allow you to have access. So, the most important things to start off with are educate the user base on who will ask you for what when they call you, and who to expect a call from.”
Gallagher highlighted user education about the tactics of these types of cyber threat operations, “because otherwise we’re just fighting it after it started.”
“Typically, people don’t call you and ask you to log into something if they’re legitimate. But if people are confused about it and are panicked about it, they may very well give them [the login],” Gallagher said. “We all make mistakes, and they’re counting on that.”