Email is the most common way that cybercriminals reach employees, but there has been a major increase in vishing attacks on businesses in 2022, with Agari reporting a 625% increase from Q1 to Q2, 2022. Ransomware gangs are mostly gaining access to business networks through email phishing, but groups that have broken away from the Conti ransomware operation have readopted the hybrid phishing techniques attacks that were used by the group’s predecessor, Ryuk. Contact is made with targeted individuals via email and vishing used to get those individuals to provide the attackers with account and network access.
You may already be familiar with vishing, or voice phishing as it is otherwise known. It is the use of social engineering techniques over the telephone to manipulate people into revealing sensitive information such as login credentials or tricking them into opening a remote-control session on their computer or installing malware that gives the attacker remote access to a device.
Many vishing attacks are speculative – An attacker obtains phone numbers and impersonates a broadband provider or other trusted entity, in a tech support scam where the target is tricked into thinking they have a malware infection or other issue that needs to be urgently dealt with. The ransomware gangs are conducting callback phishing attacks, where initial contact is made via email and the user is told to call the provided number to avoid a charge to their account – a subscription that is about to renew or a free trial that will end.
As with email phishing, many reasons are given by scammers as to why action needs to be taken. Steps are also taken to make these scams more realistic, such as spoofing caller IDs to make it appear that a local area number is being used or even that the call is made from a trusted number. The latter occurred in a vishing campaign on the Michigan healthcare provider, Spectrum Health, where the calls appeared to have been made using a Spectrum Health phone number.
These types of scams can be highly effective against businesses. Most businesses have implemented email security solutions that can detect and block phishing emails, but email security solutions will not block vishing attacks. The voice network is largely unprotected.
Voice traffic filters can be used to filter out calls from numbers that are known to be used for scams. In the United Kingdom, the phone carrier EE says it uses AI-based technology to block scam phone calls and has blocked 11 million such calls since implementing the technology, but scammers can simply change the numbers they use. The main defense against these scams is security awareness training.
Employees may be aware that phishing threats will land in their inboxes, but they may not be aware that phishing can take place over the phone. Awareness of these scams should be improved through security awareness training and employees should be taught about the signs of a vishing attack to allow them to identify and avoid these scams.
TitanHQ can help in this regard. TitanHQ offers a comprehensive security awareness training platform – SafeTitan – for educating the workforce on the full range of cyber threats, including email phishing, vishing, and smishing attacks. The training content is gamified and engaging and has been proven to reduce the susceptibility of employees to shams such as phishing and vishing.
For more information on improving your human cybersecurity defenses, give the TitanHQ team a call.