For years, businesses and individuals have had to worry about so-called "phishing" scams sent via email or text. These cyberattacks are designed to hook unsuspecting victims into revealing sensitive information.
Now there's a new twist aimed largely at small businesses: Voice phishing scams (also known as "vishing" using social engineering). A recent alert from the Cybersecurity Infrastructure Security Agency (CISA), acting in conjunction with the Federal Bureau of Investigation (FBI), provides the details.
In the classic phishing scam, scammers use email or text messages to trick someone into revealing sensitive information. Fraudsters may target individuals to gain access to their passwords, account numbers, Social Security numbers (SSNs) and other sensitive personal data.
Phishing scams also may target employees to gain access to their employers' networks. Once inside, they can steal electronic records containing employee or customer data, install malware or ransomware, and/or hijack the company's records, such as customer lists, financial records, account numbers, trade secrets and in-progress R&D projects.
In vishing scams that target the business sector, a scammer calls on the phone and may use intimidation to convince the employee to provide access. In some cases, the scammer may pose as a coworker from the company's IT department who's been assigned to install a software update that's actually malware.
Vishing scams have been around for years. But the proliferation of employees working from home during the novel coronavirus pandemic has led to a significant uptick in these scams in 2020. Why? At-home networks are often less secure than in-office networks — and some companies haven't had the time or resources to update their security protocols for remote access. Fraudsters have seized this opportunity to target stay-at-home employees.
Vishing attacks gained momentum over the summer, according to the CISA advisory. The fraudsters typically exploit holes in the security system of virtual private networks (VPNs) set up to accommodate employees working from home.
Here are four steps involved in a typical vishing scam:
When this process is complete, the company's proprietary and trade secret information is exposed. This could lead to substantial ransom costs, forensic fees and expenses, employee and customer notice obligations and even liability for security breaches.
Fortunately, the CISA advisory does more than just alert the business sector to the potential dangers of vishing. It also outlines the following steps for companies to take for greater protection against these sophisticated attacks.
In addition, employers might consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
At many workplaces, remote working arrangements are expected to outlast the COVID-19 crisis — and cybercriminals will continue to find ways to exploit home-based networks. Employees are your company's first line of defense against cyberattacks. Cybersecurity training can help update employees on proper network use, security issues and when to call a secure IT number. Remind employees to be suspicious of any request for their logins and credentials or other personal information. Provide detailed instructions for contacting the appropriate personnel if they have any security concerns.
Your company's professional advisors can also be valuable assets as your company adjusts to work-from-home arrangements. Contact them to discuss your concerns and help fortify your company's cybersecurity measures.
Get in touch today and find out how we can help you meet your objectives.