FBI warns businesses of active voice phishing threats


The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) recently issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting businesses

You can read the full article here but I’ll save you some time and give you the what-you-need-to-know highlights:

  1. As you already know, the Covid-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs). This makes it difficult to verify if it’s an employee or cybercriminal connecting to the company’s private network.

  2. Vishing is short for “voice phishing” where a cybercriminal calls, pretending to be someone of authority such as a bank or vendor (such as Dell Microsoft) to infiltrate a computer or network. In this case, criminals are using social engineering techniques, sometimes posing as the victim company’s IT help desk and spoof their caller ID to appear legitimate.

  3. Criminals are using data scraped from social media sites and data breaches such as name, position, duration at a company and home address to build trust and legitimacy and convince the employee to install software that gives the cybercriminal control of the employee’s computer.

  4. Threat actors then used the employee access to conduct further research on victims, and/or to fraudulently obtain funds using various methods. The monetizing method varied depending on the company but the key is that they were typically highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme. This may include infiltrating the company’s network, further harvesting data and sometimes deploying ransomware to hold the organization hostage, demanding millions of dollars in untraceable bitcoin for its release.

Next steps

The FBI advisory includes a number of suggestions that IT departments can implement to help mitigate the threat from these vishing attacks.

  1. Restrict VPN access to managed devices only. This can be done via hardware checks (eg. MAC address, installed certificates). The key is to make it so that so that a username/password alone is not enough to access the corporate VPN.

  2. Restrict VPN access to only working hours.

  3. Actively scan and monitor key company applications (such as accounting, CRM, etc.) for unauthorized access, modification, and anomalous activities.

  4. Review employee access policies. Remember “least privilege” and limit users to only the resources they need to perform their duties.

  5. Consider a SIEM solution in to monitor employee accesses and activity that will alert you of anything unusual (eg. Cylanda has one)

  6. Consider implementing an authentication process for employee-to-employee communications made over the public telephone network. For example, a secret passphrase.

  7. Verify web links do not have misspellings or contain the wrong domain.

  8. Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.

  9. Be suspicious of unsolicited phone calls, visits, or email messages from individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks.

  10. Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing

If you receive a vishing call, document the phone number of the caller and the website that the actor tried to have you open and relay this information to law enforcement.

These are uncertain and chaotic times and cybercrime is thriving now more than ever. We here at Cylanda use our years of experience to help the community and restore businesses to a state of efficiency and safety. If this is something your company is interested in, let us know. We can help.

Stay safe out there.

-A