Have you ever experienced a vishing attack? If not, it’s likely that you or someone you know will at some point. Therefore, it’s important to have a general idea about the intent of these calls, including how to identify them and avoid becoming the victim of data theft. Here’s a real-life account of a recent phone phishing scam and some tips for how to be prepared in case it happens to you.
My Real-Life Phone Phishing Scam
I (Thomas) recently experienced a phishing scam. Here’s what happened:
I was on the way home from an event with my daughter, when she got a call from an “unknown” number.
“Let me have it,” I said. I often enjoy having a bit of fun with telemarketers and thought this would be a good opportunity for one.
“Hello,” said the man on the phone. I couldn’t place the accent at first, but I could tell he wasn’t a native English speaker.
He said he was with “technical services” and regretted to tell me that, last week, I visited a website and inadvertently downloaded malicious software to my computer. The software was now destroying part of my computer, and he was here to help. He provided concerning statistics (all fictitious) about when I downloaded the software and then gave details about how the software was currently destroying my system.
According to this man, I needed to act fast if I wanted to fix the problem and stop the damage. He was trying to instill fear and then create a sense of urgency so I would act quickly, without time to think or consider the legitimacy of his proposal.
He even went so far as to ask, “Are you at a computer right now?” This guy wasn’t wasting any time!
I said, “You know, I know exactly what you’re doing. I want you to know that I’m going to report you to the FBI.”
He laughed. “Do you think you’re actually going to catch me? You’re not going to catch me. You’re like a barking dog, and you have no bite. And you’re never going to catch me.”
The sad reality is…he was right.
3 Things to Note About This Vishing Scam
It’s unlikely this man or other criminals like him will get caught. That’s why it’s important to protect yourself and your organization from these attacks. Here’s what you should know about these types of attacks:
- The person receiving the call has likely not been infected with any type of malicious software like the caller claims. If they were, the fraudster would have no way of knowing.
- In this case, the man’s goal was to get me to install a Trojan horse on my computer. It would allow him to remotely control my machine and search for sensitive data—or anything else they could monetize, such as disabling the computer and requiring a ransom payment.
- In the case of an organization, once attackers have control of a machine, they can use it to pivot to other systems on the network, giving themselves unfettered access to a company’s network—the exact thing we want to prevent.
What’s Unique About This Attack?
While this is vishing, it uses a strong social engineering component to add legitimacy. Phishing normally occurs via electronic means, but using a phone call as the means of communication adds a layer of legitimacy not found with electronic attacks alone. The man not only presented himself convincingly as a helpdesk employee, he provided specific (albeit fake) data about when I had supposedly downloaded the malicious software, as well as specific data about how the software worked and what it was doing to my computer.
How to Protect Your Organization from Phone Phishing Scams
This attack is indicative of what we’ll likely see with future generations of ransomware, in which cyber-criminals prepare more extensively for well-executed, seemingly legitimate attacks. In the meantime, here’s how can you protect your organization from phone phishing scams:
1. Educate and test your employees.
Phone phishing attacks will become more legitimate and believable as less sophisticated strategies die out. The organizations who want to access your data are starting to present themselves more professionally, and with good reason—they stand to make a significant amount of cash off uneducated victims.
The goal of these criminals is to create a scenario that appears legitimate and trustworthy, so you can’t help but believe them. With that being said, it’s extremely important to educate your employees on phishing and social engineering warning signs. But, don’t stop there. Make sure information security testing is part of your security awareness program as well.
It’s easy to understand these attacks conceptually, but your employees are on the front lines. Testing should involve scenarios that are like what they’d experience in a legitimate cyber-attack.
2. Prohibit remote access software.
This attack thrives on two things: ignorance of the victim and use of remote software. Prohibiting use of remote software, and preventing employees from installing them, can act as a safety net if you have an employee who gets duped by an exceptionally convincing scammer.
3. Segment your network appropriately.
If this sort of attack were to enter your network, could it spread? Segment your network so that attacks like this remain contained in one area of the network and are not able to wreak havoc across systems.
4. Conduct internal penetration testing.
Once you properly segment your network, verify its security by performing internal penetration tests regularly.
5. Monitor the network, and regularly review logs.
As a last line of defense, make sure you’re using a reliable IDS/IPS system and have delegated the responsibility for monitoring network logs on a regular basis. If someone with malicious intent makes his way into your system, you will be alerted to the problem as quickly as possible and will be able to address the problem according to your incident response process.
Unfortunately, many organizations don’t begin thinking about preventative measures until they have experienced a security breach. Regardless of your company’s current level of preparedness, we’d love to help.