As expected, cyber criminals are taking advantage of recent events and working as hard as ever to
compromise company systems. Recently the Federal Bureau of Investigation (FBI) and the
Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory (A20-233A)
warning of an uptick in voice phishing (vishing) campaigns targeting remote workers.
Vishing is a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward.
Observed threats
Xantrion has received increased reports of suspicious phone calls received by our clients as well as reports from various U.S. agencies warning of similar trends.
The FBI and CISA report that criminal groups have been observed creating fake web sites using the target company’s name and fake login pages designed to look like web portals that employees use regularly for remote access. The criminals then compiled dossiers on individual employees including information such as name, home address, personal phone numbers and their position at the company.
Attackers then called employees using fake phone numbers, spoofing caller-id and posing as members of IT or other employees at the company:
“The actors used social engineering techniques and, in some cases, posed as members of the victim company’s IT help desk, using their knowledge of the employee’s personally identifiable information—including name, position, duration at company, and home address—to gain the trust of the targeted employee,” the joint alert reads.
It is critical to remain vigilant against this and other kinds of social engineering scams. Cyber crime is big business and criminals are constantly changing tactics used to trick employees into gaining access to company systems. Xantrion provides the following guidance to help address these threats.
Guidance
Be aware of this increased threat and new tactics specifically warning of suspicious inbound calls. Users should independently verify any inbound call, this is most easily done by hanging up and calling the back using a known good phone number.
The FBI/CISA provide these additional tips for end users:
- Verify web links do not have misspellings or contain the wrong domain.
- Bookmark the correct company remote access URL and do not visit alternative URLs on the
sole basis of an inbound phone call. - Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals
claiming to be from a legitimate organization. Do not provide personal information or
information about your organization, including its structure or networks, unless you are
certain of a person’s authority to have the information. If possible, try to verify the caller’s
identity directly with the company. - If you receive a vishing call, document the phone number of the caller as well as the domain
that the actor tried to send you to and relay this information to your company security
contacts. - Limit the amount of personal information you post on social networking sites. The internet is
a public resource; only post information you are comfortable with anyone seeing. - Evaluate your settings: sites may change their options periodically, so review your security
and privacy settings regularly to make sure that your choices are still appropriate.