Why Are Vishing Attacks on the Rise During the COVID-19 Pandemic?
The United States Federal Bureau of Investigation has made a formal statement, warning the public against the increase in vishing attacks. The warning was issued in mid-January 2021.
You may be already familiar with phishing and smishing - respectively, e-mail and sms-based attacks that seek to fool the victim into entering their credentials or disclosing personally identifiable information that is stolen by the actors behind the attack.
However, it seems like the infosec community cannot go a few months without making up another term for something that has existed for years.
Vishing is just another name for scams and frauds executed using phone calls. In those, much like in phishing and smishing attacks, the bad actors behind the attacks seek to gain personal information that will potentially allow them to access the victim's online accounts.
The FBI is warning that vishing attacks have become particularly focused on people working in positions that could allow the hackers to gain elevated access to the respective company's network.
The Bureau stated that this type of attack is becoming more and more common because of the new working conditions under global Covid-19 lockdown. With people working from home, the protocols and general observation of network access may be laxer, allowing bad actors easier access to company networks.
The FBI warning details an attack vector that is common for all phishing and related attacks. Using voice calls, company employees are tricked into opening fake login pages that then scrape any entered information such as login details and funnel that information directly to the hackers.
The stolen account information is later used to infiltrate company networks, elevate privileges of the compromised account and download and deploy further malware.
According to the FBI, the most common trick used to lure victims is the false pretense that the company is using a new VPN service. Victims are encouraged to log into the fake new VPN and have their information stolen.
The simplest thing to do in cases of vishing, according to the Bureau, is to first and foremost verify the identity of the person on the other end of the call and always double-check any website you are told to open.