The massive introduction of teleworking has led to the increase in the use of VPNs, Virtual Private Networks, and the elimination of in-person verification. In this context, cybercriminals have begun to complement their Phishing scams using a new technique: making voice calls over Internet Protocol (VoIP) to potential victims, employees of those who seek to obtain sensitive information until they obtain elements they are looking for, such as corporate access credentials to companies. This technique is known as Vishing.
Vishing or Voice Phishing
‘Vishing’ basically consists of a variant that mixes Phishing with a telephone call, in which the attacker uses data extracted from the Internet to use in a voice call, and in this way seeks to induce the victim to reveal personal information. In fact, companies such as Amazon or Microsoft have registered cases of this crime of identity theft during 2019, with users complaining, for example, of calls supposedly on behalf of the Windows technical service team.
Those who use Vishing use social engineering techniques, that is, they collect information about their victims from what has been shared publicly on the Internet, for example, on social networks, to gain their trust. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) of the United States have warned of the growth of campaigns that use ‘vishing’ attacks in the framework of the coronavirus pandemic, as noted Cybersecurity researcher Brian Krebs on his website.
FBI Alerts About Vishing
According to the FBI report, the criminal begins “first using unattributed Voice over Internet Protocol (VoIP) numbers to call the chosen employees on their personal mobiles, and later they begin to incorporate false numbers from other offices and employees of the company from which they want to obtain information ”.
Using social engineering techniques, and even posing as members of the victim company’s IT helpdesk, the attackers use “their knowledge of the employee’s personally identifiable information – including name, title, length of time with the company and home address – to gain the trust of the target employee. ”
In actual Vishing cases, cybercriminals convinced a targeted company employee that a new VPN link would be sent and asked for their login, including any 2FA [2-factor authentication] or OTP [one-time passwords]. The criminal saved the information provided by the employee and used it in real time to access corporate tools using the employee’s account.
Getting the information
The FBI alert notes that in some cases unsuspecting employees approved the 2FA or OTP notice, either accidentally or believing it was “the result of prior access granted to the help desk copycat.” In other cases, the attackers were able to intercept the codes in one go by targeting the employee with the SIM swap, implying that the social engineers of the mobile phone companies gave them control of the target’s phone number.
The agencies said the thieves use the endorsed VPN credentials to mine the victim company’s databases for their customers’ personal information to exploit in other attacks.
Tips and measures to avoid Vishing
Don’t answer a call from a suspicious phone
Day after day they give us the annoyance of automatic call services – the ‘robocall’ – that try to sell us or get something from us. Therefore, before picking up a call you should look at the numbering that appears on the phone screen. Do not trust the act of calls with international prefixes that you do not know, since some criminals make short calls from this type of prefix so that the user does not have time to answer and return it, something that involves costs.
Never reveal bank and / or personal details
Surely this sounds familiar to you, because it is a common advice to avoid a phishing scam. They may call you pretending to be Microsoft, a mobile operator, your gas company or your bank, and ask for information such as passwords or the card you use. NO bank, software company or operator is going to call you to request private data either by phone or by email, so hang up immediately if you have picked up the hook.
Ask who is the person calling you
It’s very easy to call someone and impersonate customer service from a well-known company that you use their service from. If you don’t trust them, ask them for company information they should know. Also ask for the telephone number from which you are calling, and the name of the person calling. Then hang up
If you still do not trust and call the customer service of that company that has called you, to verify that it is one of their workers or not.
- Keep your sensitive information under password.
- Use a password of more than 8 alphanumeric characters, using upper and lower case.
- Do not use the same password in all the services of the Network.
- Avoid accessing public Wi-Fi networks, unless absolutely necessary.
- Never repeat the same password in different emails.
- Install antivirus software on your computer.
- Don’t accept requests from friends you don’t know on social media.
- Before posting on social media, think about whether it is necessary to leave so much information available to anyone.
- Adjust the privacy options of Facebook, Twitter, Instagram, etc.… to choose who can see your publications.
- Activate the security options of your Find My iPhone or Android Find phone.
- Make purchases online at trusted sites.
- Never save your credit card details on websites.
- Never use a public computer like a personal computer.