Vishing: Protecting Your Organization from Voice-Driven Attacks

Vishing, a blend of voice and phishing attacks that traditionally targeted consumers to compromise their financial accounts, is now an emerging threat to modern enterprises. Tech support and help desk sectors are increasingly experiencing vishing incidents. The recent MGM Resorts International vishing-led attack highlights the staggering impacts, including multi-million dollar payouts and substantial downtime, that organizations are facing.

While the repercussions from newsworthy attacks continue to unfold, there are vital insights organizations should be aware of and preventative steps to take now for increased protection.

Key Insights Your Organization Needs to Know:

Why Organizations Are at Risk

• Targeting People: The advancement of cybersecurity is making hacking technology more time-consuming, leading some criminals to move away from exploiting software flaws to using more forward, manipulative approaches to get what they desire from humans.
• Information Flow: The easy availability of data from platforms like social media and the darknet enhances the authenticity of scams.
• Trust in Calls: Employees’ inherent trust in telephone communication is a potential weak link that vishers exploit.
• Sophisticated Spoofing Techniques: With VoIP technology, attackers can mask their location and even spoof a legitimate organization’s phone number, making the deception more convincing.
• Unprotected Voice Data: Most organizations have data link protection but lack control over voice over IP cloud-based data and continuous SPAM blocking. “Unknown Caller” ID makes it easier for criminals to access sensitive voice data.

Why Tech Support and Help Desks are Prime Targets

• Elevated Privileges: Tech support personnel often have access to critical systems, making them attractive targets.
• Nature of Job: The innate drive of support staff to assist can inadvertently lead to security breaches.
• High Volume of Interactions: The sheer number of daily calls these teams handle – without a voice authentication solution – makes it harder for the listener to discern a legitimate call from a vishing attempt.

Common Vishing Scenarios Targeting Tech Support:

• Impersonating Employees: By pretending to be new team members, attackers can solicit help, potentially bypassing security measures.
• Urgent Requests: Vishers create a sense of urgency, prompting staff to sidestep standard protocols.
• Vendor Impersonation: Attackers can masquerade as external vendors to gain or verify system-related information

Understanding a Visher’s Modus Operandi

Understanding a visher’s modus operandi is crucial for designing effective countermeasures. Here’s a step-by-step breakdown of a typical vishing attack:

1. Research: Vishers meticulously study company hierarchies and collect data on key personnel.
2. Pretext Creation: Based on their research, a visher develops a convincing narrative to deceive their target.
3. Timing: The optimal timing for an attack includes periods of significant organizational flux or off-hours.
4. Attack Call: Modern technology like VoIP may hide the caller’s true identity.
5. Extraction: Through persuasion and deceit, a visher entices their victim into revealing confidential data.
6. Covering the Tracks: After a successful attack, a visher will often distract their victim with additional tasks or requests to delay discovery.

Critical Elements Related to Vishing

• ‘Smishing’: This is a form of phishing using text messages, often containing harmful links.
• Pretexting: Vishers craft detailed, fake scenarios to elicit personal information from unsuspecting targets.
• Caller ID Spoofing: Modern technology allows criminals to manipulate caller ID information, making it seem like they are calling from a trusted number.

Preventive Steps to Implement Now:

• Education and Training: Continuous and relative training helps support teams to quickly identify and thwart vishing attempts.
• Block unwanted phone calls: Employing tools that block SPAM and keeping database security measures updated is crucial.
• Identity Threat Detection & Response: Implement a mature insider threat program that includes approaches for detecting IAM changes and malicious activities focused on protecting the organization’s identity fabric (IdP, SSO, PAM, Directory, and others.)
• Multi-Factor Authentication (MFA): Implementing MFA wherever possible helps ensure that even if a visher acquires login credentials, they cannot access the system without the second authentication factor.
• Behavioral Biometrics: Behavioral biometrics can profile and identify unusual patterns. Any abnormal behavior may suggest that a visher is attempting to use stolen information to illegally access a digital platform.
• Caller Verification Procedures: Implement strict verification processes for all inbound calls to tech support or help desk.
• Limiting Data Access: Ensure that tech support or help desk staff have access only to the data they need to limit the potential damage from a successful vishing attempt.
• Incident Response Plan: Have a clear response plan for a successful vishing attempt, including immediate steps to mitigate damage and steps for recovery.
• Rapid Escalation Procedure: Initiate a rapid escalation response from the help desk to management, who will deny any emergency access before verifying the caller’s identity. This procedure gives the help desk an “out” when pressured to make a change out of their typical process.
• Automated Password Reset: Implementing automated password reset technology will reduce the number of emergency calls to the help desk, allowing more focus on each request, and reduce the muscle memory response of hitting “reset.”
• Visual Validation: Consider integrating facial biometrics into your identity environment.

Conclusion

Vishing is a significant threat in today’s digital age. Technology has made communication easier, but it has also opened newer avenues for fraud. While vishing has traditionally targeted consumers in the financial sector, the shift towards tech support and help desk targets presents unique challenges for organizations. Organizations must recognize this and invest in continuous training, robust identity security, and a culture that where caution and verification are valued over haste. Staying informed and exercising caution can go a long way in ensuring protection. Remember, when in doubt, hang up and verify through trusted channels.