Vishing isn’t new. Fraudulent phone calls made by cybercriminals to ‘phish’ victims into sharing money and personal information have been around for many years. But last year reports predicted 2020 as the year vishing would become a daily occurrence, and Doherty has certainly seen a recent rise in attacks propelled by more people working from home during the Covid-19 crisis. According to 2020 figures from the Federal Trade Commission, there have been over 128,000 fraud attacks on phones this year costing $108 million.
Many organisations will have invested in educating employees on threats and installed robust cybersecurity systems such as Firewalls, Intrusion Detection Systems and Intrusion Protection Systems (IDS/IPS) to protect devices in the office. But under the ‘new normal’ way of working, with ONS figures claiming that 50 per cent of people will work from home by the end of 2020, how do organisations keep their employees and those devices safe from vishing attacks or similar once they’re no longer under the protection of the office’s security system?
Vishing perpetrators can be opportunistic small-time scammers trying to convince their victims to transfer money. Covid-19 means many of these criminals have a lot more time on their hands, looking for new ways to make a living.
At the other end of the scale perpetrators launch highly organised, specifically targeted attacks in which they have a bigger payday in mind. These can be with payroll or supplier invoice fraud as the end game. These types of attacks often involve research, use of social media, corporate websites, leaked email addresses and signatures to build a detailed picture and strategy to exploit an organisation. Without the company’s firewall filtering web access, or the social pressure of the office environment to keep people alert, remote workers suddenly become vulnerable, easy prey.
Take a common Vishing scenario for example. This involves receiving a phone call from someone purporting to be from a tech company – like Microsoft, Apple, or BT Openreach. Often, they convince the victim to download and install remote assistance or malicious software, enabling them to obtain remote access to their computer and manipulate the victim, often leveraging emotions like fear or greed to exploit them.
Another Vishing attack is supplier invoice fraud where the attacker convinces the victim to update bank and payment details for a supplier, redirecting funds intended to pay suppliers into the attacker’s account instead. This isn’t such an easy job. The attacker will likely be well prepared and possibly combine Vishing with other types of attack such as spoofing and phishing to help build their credibility in the eyes of the victim. The company believes they’re paying their invoices but in reality they’re paying the attacker. At times these invoice frauds can go un-noticed for weeks.
Covid-19 and the rise in vishing
There’s a handful of reasons for a resurgence in instances of Vishing, leveraging such simple methods of social engineering, and why they’re so successful.
- Many businesses have made hasty changes to allow remote working, often enabling remote access at the cost of security. In some cases, people are even allowed to use their own personal computers.
- People are off their guard when they are in the safety of their own home.
- Technology such as firewalls that protect people while in the office normally don’t offer any protection when they’re out of the office.
A good fundamental security posture can help to limit the risk of Vishing attacks. For example, ensuring that all individuals in the organisation have only the permissions they need to do their particular role can help to limit their exposure. These points can best be summarised as “secure by design” or following a principle of “least privilege”. Other effective measures are ensuring that payments are authorised by more than one individual, along with requiring that any changes to supplier banking details are confirmed in writing and by phone call.
Technically there are a few options to help in this scenario too. For instance, cost effective wireless access points are available which can extend the company’s wifi into remote workers’ homes. These types of solutions make remotely connecting to the office simple, secure, and private. Connecting company laptops to the company network this way can leverage the company’s firewall to help protect the remote worker.
Although such a solution can’t prevent people taking a Vishing call, it can prevent the download of remote-control tools or access to malicious websites.
This solution elegantly avoids any privacy concerns since only corporate traffic uses the connection – personal devices can continue to use the normal home Wi-Fi.
Communication is the key
Since Vishing is such a low-tech method of attack, it can be difficult to protect against with technical measures. Often what makes the difference is whether the individual taking the Vishing call is wary of the threat. Communicating with employees about cyber-risk, giving them clear security awareness training, and perhaps even simulating phishing attacks can be an effective way of improving the human defences in your organisation. There are a number of cost-effective tools available to deliver training, awareness and simulate phishing events. If people in your organisation are suspicious of a call, encourage them to hang up and call back on a trusted number. By stoking a healthy level of suspicion, teams will know to look out for certain techniques used by Vishing criminals.
If these processes and technical measures fail and your organisation does fall victim, having a clearly defined Security Incident Response is essential. There are a handful of required actions during a response (for example you must consider whether it’s necessary to notify the ICO, notify Action Fraud, and potentially notify any GDPR subjects), and having a pre-defined plan will ensure that none are missed. Part of the Security Incident Response plan should include a template communication to customers. The company is then ready to draft a thorough and complete communication at the time of the incident, rather than hastily cobbling together a message written in the heat of the moment.
Having cyber-insurance is also a great comfort. Although it can’t prevent a breach, it will typically connect you with appropriate PR resources, legal advice, and technical forensic experts to help manage the fallout.
IT security should be a multi-layer approach with each layer helping protect your organisation. Some layers might have been stripped off to quickly enable remote working so it’s vital to be aware of this, what it means and how to plug the gaps. There are some technical measures available and following good practice in advance can help reduce exposure. In many cases the weakest link is the people and we need to help them develop a healthy level of suspicion.
Caleb Mills, Technical Director, Doherty Associates