For years, businesses and individuals have diligently worked to avoid phishing scams sent via email or text. A new threat has entered the scamming market, aimed largely at small businesses: Voice phishing scams (also known as vishing) using social engineering.

A recent alert from the Cybersecurity Infrastructure Security Agency (CISA), acting in conjunction with the Federal Bureau of Investigation (FBI), provides the details.

Vishing Expeditions

In vishing scams that target the business sector, a scammer calls on the phone and may use intimidation to convince the employee to provide access. In some cases, the scammer may pose as a coworker from the company’s IT department who’s been assigned to install a software update that’s actually malware.

Uptick in Cases

Vishing scams have been around for years. But the proliferation of employees working from home during the novel coronavirus pandemic has led to a significant uptick in these scams in 2020. Why? At-home networks often provide less security than in-office networks — and some companies haven’t had the time or resources to update their security protocols for remote access. Fraudsters have seized this opportunity to target stay-at-home employees.

Vishing attacks gained momentum over the summer, according to the CISA advisory. The fraudsters typically exploit holes in the security system of virtual private networks (VPNs) set up to accommodate employees working from home.

Four Steps Involved in a Typical Vishing Scam:

The so-called visher creates a website that replicates or closely resembles the company’s VPN login page. Then he or she obtains a secure socket layer (SSL) certificate for the domain and names it with a combination of the company’s name and words such as “support” or “employee.”

The visher compiles a dossier on an employee, including the employee’s full name and address, phone number, and position at the company. This information can often be obtained from public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and other resources.

The visher contacts the employee through a voice over Internet protocol (VoIP) number or a fake phone number from other employees and departments from the company. Typically, the scammer will impersonate IT help desk workers and gain the employee’s trust using the dossier of personal information.

The visher convinces the target that he or she will receive a new VPN link that requires login information. This may include two-factor authentication, a solo password, or both. In some cases, the employee mistakenly believes access had been granted earlier to the IT desk impersonator and approves the prompt. In other cases, hackers employ SIM swapping attacks to circumvent security measures.

The company’s proprietary and trade secret information becomes exposed through this process. This could lead to substantial ransom costs, forensic fees and expenses, employee and customer notice obligations, and even liability for security breaches.

Preventing an Attack

Fortunately, the CISA advisory does more than just alert the business sector to the potential dangers of vishing. It also outlines the following steps for companies to take for greater protection against these sophisticated attacks.

• Restrict VPN access hours and VPN connections to managed devices only. Use mechanisms like hardware checks or installed certificates, so user input alone isn’t enough to access the corporate VPN.
• Employ domain monitoring to help you track the creation of, or changes to, corporate, brand-name domains.
• Actively scan and monitor web applications for unauthorized access, modification and anomalous activities.
• Employ the principle of least privilege and software restriction policies.
• Monitor authorized user accesses and usage.

In addition, employers might consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.

Team Effort

Many workplaces expect remote working arrangements to outlast the COVID-19 crisis — and cybercriminals will continue to find ways to exploit home-based networks. Cybersecurity training can help update employees on proper network use, security issues, and when to call a secure IT number. Remind employees to be suspicious of any request for their logins and credentials or other personal information. Provide detailed instructions for contacting the appropriate personnel if they have any security concerns.

Your company’s professional advisors can also be valuable assets as your organization adjusts to work-from-home arrangements. Contact them to discuss your concerns and help fortify your company’s cybersecurity measures.

© Copyright 2021 Thomson Reuters. 

Disclaimer of Liability
Our firm provides the information in this e-newsletter for general guidance only, and does not constitute the provision of legal advice, tax advice, accounting services, investment advice or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisors. Before making any decision or taking any action, you should consult a professional advisor who has been provided with all pertinent facts relevant to your particular situation. Tax articles in this e-newsletter are not intended to be used, and cannot be used by any taxpayer, for the purpose of avoiding accuracy-related penalties that may be imposed on the taxpayer. The information is provided “as is,” with no assurance or guarantee of completeness, accuracy or timeliness of the information, and without warranty of any kind, express or implied, including but not limited to warranties of performance, merchantability and fitness for a particular purpose.