Cybercrime has become increasingly widespread and more sophisticated in recent years. On top of that, it’s worth noting that the current global pandemic hasn’t reduced cybercrime activities at all. If anything, it even spurred on hackers to target employees especially now that most are working from their own homes.
One particular technique cybercriminals employ today is vishing.
Short for voice phishing, this involves criminals defrauding or duping people to collect information. However, instead of doing it through email as in typical phishing attacks, scammers use phone calls and voicemail messages. Furthermore, they usually pretend to be an IT technician or support staff.
To help you protect yourself, your employees, and your organisation from vishing attacks, it pays to know how they work. With that, here’s a brief outline of the phases involved in a sophisticated vishing attack:
1. Scouting
In this phase, hackers choose a target company and start researching on its employees. Then, they compile information on them based on available data on their social media accounts.
2.Setting Up the Trap
The next step hackers usually do is duplicate their target company’s internal VPN login page. These are designed to capture an employee’s password and two-factor authentication token.
This is the crucial part of their ploy as it is what enables them to infiltrate a company’s VPN and gain access to confidential data.
3. Execution
Once the traps are all set up, hackers proceed to contact employees. They often pose as an IT technician and bring up a “serious security concern”.
They can easily make their act believable by leveraging the information they’ve previously gathered about employees. Considering this, they can convince them to log in to the duplicate VPN login page they made.
Once employees input their credentials on this login site, it’s game over. Hackers now have access to the employee’s entire suite of credentials.
4. Mining Corporate Data
Once inside, hackers use the limited-time VPN access to freely extract their target company’s databases, records, and files. They then use all of the corporate data they have mined to enhance their ransomware threats.
What to Do to Protect Your Company from Vishing Attacks
When it comes to protecting your company from vishing attacks, you have to remember that it’s a group effort. It’s not enough for you to educate yourself about it and install additional security measures yourself. You must also ensure that your employees are on the same page.
Particularly, here are some strategies that can help:
- Educate your employees on how to identify and avoid vishing attacks.
- Monitor authorised user accesses and usage regularly.
- Have a two-factor authentication for key communications within the organisation and those with clients.
- Restrict VPN connections to company-managed devices only.
- Install activity timers that reset after every 2-3 hours. This will require regular re-authentication by employees.
Hackers are becoming more creative and resourceful when it comes to stealing confidential information. One form of cyberattack you must be on the lookout for nowadays is vishing, especially with your team dispersed.
The first step to protecting your company from this ransomware attack is educating yourself and your whole team about it. Aside from that, you must install additional layers of security wherever possible. While all of these may sound like extra work, they are crucial in safeguarding your business, your employees, and the trust your clients gave you.
Need help with anti-phishing and vishing prevention? FraudWatch International has you covered! Our teams of security professionals work around the clock to protect your brand and your clients from phishing malware. Don’t let your company fall victim to such attacks—contact us today!