Phone Phishing or Vishing (voice phishing) is not new, but this con has been elevated to a level of remarkable sophistication. Cyber criminals are using LinkedIn, Facebook, company websites, and insider information harvested from breached email accounts. They are doing some serious investigation on organizations before launching their actual attack. When an unsuspecting employee receives a phishing call from IT support or the fraud department, the crook on the phone may know more about the organization’s structure and who is a new employee than they do.
This scam has many forms, but one effective one is to call into a carefully selected employee or department to report a fraud situation or to resolve a security issue related to the victim’s network access, or some financial issue that needs verification. The caller will represent themselves as a person of authority: Bank Fraud Investigator, IT Support, IRS or FBI Agent, and other intimidating characters.
Scammer - “Is this Mark Whipple?” Target – “yes, how can I help you?” Scammer – “It’s George from IT. We are getting alerts that your VPN has been compromised. I need you to answer some questions so we can lock it down.” Target – “are you new?” Scammer – “Yep, Stan asked me to take care of this for you.”
From here the con-artist will lead the victim to a spoofed web page and coax them to enter credentials for the VPN or your email account, or whatever access they are targeting. Even multi-factor authentication will not protect the network when the cyber-creep instructs a user to enter their PIN or one-time code into their fake web page form.
When the vishing attack succeeds, the bad guys end up with access to your VPN, your email, and your entire network. With that access (keys to the kingdom) they will leverage further attacks to take over your network, install ransomware, or steal sensitive data.
If a call or email seems slightly peculiar, it likely is. Slow down. If your Spidey Senses are tingling, then tell them you will call back after you check with your manager. If it is your real IT guys, they will be impressed with your good security practices and not offended at all. If the caller protests, you know you just caught a phish.
The frightening success of this hack has been headlined by major tech news providers. Andy Greenberg, of Wired recently reported, "In mid-July, Twitter revealed that hackers had used a technique against it called "phone spear phishing," allowing the attackers to target the accounts of 130 people including CEOs, celebrities, and politicians. The hackers successfully took control of 45 of those accounts and used them send tweets promoting a basic bitcoin scam. The hackers, Twitter wrote in a postmortem blog post about the incident, had called up Twitter staffers and, using false identities, tricked them into giving up credentials that gave the attackers access to an internal company tool that let them reset the passwords and two-factor authentication setups of targeted user accounts."
Advice to Follow
No one needs to know your email, network, or VPN credentials; they are secret and just for you.
The only place to type your credentials is into the corresponding application (Outlook, VPN Client) or genuine, you are sure it is the right site, web portal.
No financial institution or government agency are going to call or email asking for your social security number.
The government will not call to arrest, fine, or deport you.
Fun story - My eighty-five-year-old mother cracked up laughing when a scammer called her and threatened her with arrest if she did not pay up on some fictitious, over-due IRS penalty. He asked why she was laughing since this was a very serious issue. She explained that his scam was so pathetic that she could not help herself. He hung up and I expect they took her off their list. You go mom!
Slingshot Information Systems helps its client protect their IT networks with multiple layers of security: anti-malware, email security filtering, web filtering protection, end-point detection & response, and user education. Located on the tip of Cape Ann in Rockport, Massachusetts, we are ready to help. Contact us for a free network evaluation.