Recent reports indicate that corporate VPNs has now become the latest target of vishing attacks. Voice phishing prey on unsuspecting work-from-home employees.
The pandemic forced many companies to rely on the work-from-home scheme. By allowing employees to work from home, these companies managed to continue operating despite the lockdown restrictions.
Working from home, though, posed one significant challenge: cybersecurity. Corporate VPNs served to address this challenge. Still, measures such as this do not make a company safe from imaginative cybercriminals.
The latest slew of cybercriminal activities forced the FBI and CISA to issue an advisory to warn companies against this newest campaign.
The latest vishing campaign was discovered in mid-July 2020. These attacks targetted work-from-home employees to gain access to their tools and monetize that stolen access.
How did the vishing campaign operate?
They typically target telecoms, financial, and social media companies. The phishing scheme usually requires two cybercriminals working together. One will make the phone call to the employee and try to steal his login credentials. The partner then attempts to log in to the target company's website using the stolen VPN credentials.
To earn the trust of their target employee, the group needs to make themselves look legit. To do this, they set up phishing pages that spoof the target company's website.
Once the spoofed website is up, they start calling the target employee. The caller will pose as the target company's IT personnel. The aim was to convince the target to believe that it was a legitimate business call.
The next step is to direct the employee to the fake website. The employee then inputs his credentials, thereby divulging the sensitive information to the attackers.
How do you protect yourself from phishing scams?
Voice phishing
Vishing is a form of a phishing scam. It is a term to describe the act of stealing sensitive information over the phone. There are two things you can do to protect yourself from vhishing. First, always be suspicious. It is your first line of defense. Drill them with probing questions. Legitimate callers will always be consistent and firm with their answers.
Second, never give out your personal information. And never trust the caller ID. Call your company directly to confirm that it is a legit call.
Email phishing
An email phishing scam attempts to steal personal information through emails. An email phishing message usually convinces the victim to click the provided link. That link points to a fake webpage designed to capture personal or financial information.
How do you protect yourself from such an attack? First, never click on any links contained in the email. Instead, you can investigate the website by copying the link and pasting it on your browser. Pay attention to details. Spelling and grammar errors can be telltale signs of a phishing attempt.
Tech support call
In a tech support phishing scam, the caller will pose himself as someone from a security software firm. They will convince you that your system has been compromised. You must not panic. Instead, ask for their contact information and tell them you will call them back. Then look it up and check if it is a legitimate phone number.