Unique Cyber Vishing Threat Emerges

September 4, 2020 Published Article

WARNING: Cyber criminals are now trying to take advantage of the large part of the work force that is now working remotely from their homes.  That includes each of your employees who are teleworking.  The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning that cyber criminals are posing as companies’ IT officers who persuade workers to disclose sensitive data, including log in information. 

The recent, successful attacks have involved vishing, which is voice phishing, i.e. scammers call workers on their cell phones and direct them as IT officers to turn over important information.  As your company is likely doing, many companies are utilizing virtual private networks (VPNs), which allow worker to log into the same system remotely.  The attackers were able hack into the computer systems through the VPNs because they were successful in calling workers and convincing them to provide their usernames and passwords so that the workers could log into “new links” to the VPNs.  Before calling the victims, the criminals compiled information on them, such as length of employment, which was gleaned from social media profiles and other public platforms.  That information was then used to more credibly pose as IT officers and gain the victims’ trust.  To make matters worse, the criminals then used information available in the systems to conduct additional attacks.

Mitigate the Risks

The FBI and CISA have recommended taking concrete steps to mitigate the chances of these vishing attacks from being successful, such as:

(1) Limiting VPN access hours. Limiting access hours also limits the amount of time the computer system is exposed to potential attacks.

(2) Educating employees about these kind of attacks and asking them to question unsolicited phone calls (to supplement regular, periodic cyber security training).  Most successful cyber attacks are not front attacks on computer systems.  Rather, they involve tricking users. As such, employees are the first line of defense, so they must be adequately trained.

(3) Asking employees to limit the amount of information on social media that is publically available. Vishing attackers are less likely to be successful if they appear less credible to employees due to the lack of information on the intended victims.

(4) Consider purchasing a cyber security insurance policy if you do not have one. Unless you have a cyber security insurance policy, your existing insurance likely would not cover a successful vishing attack.

How Can We Help

Newmeyer Dillion can support a company’s cyber security in a variety of ways, such as providing employee training procedures and programs, connecting you with technical experts to review your system security, performing regulatory audits to ensure you are properly protecting private information, providing incident response steps and game plans, and reviewing your insurance coverage to ensure cyber security risks are covered.  We would love to discuss any aspect of cyber security if you have any questions.

The new remote work environment presents new, unique challenges that we all must adapt to.  Guarding against evolving cyber attacks is one of those challenges.  Stay up to date on the cyber risks and be vigilant.