Cybercriminals have been using the COVID-19 pandemic as a central theme in all kinds of crisis-related email phishing campaigns. Because of the rise of the number of at-home workers, vishing attack has become increasingly common over the past few months.

Vishing attacks: phishing campaigns executed via phone calls. Modern vishing attacks use research-based social engineering to attack targets with convincing scams.

Like with other social engineering attacks, the ultimate goal is to gain access to corporate networks and data or to get other information that can be used to commit fraud. Vishing attacks are designed to build relationships with employees, eventually convincing them to give away confidential information or to click on malicious links that are sent to them by the visher.

It might seem like vishing attacks are a consumer problem only. But, in reality, businesses can be impacted too. Especially now, as a significant portion of employees across the country is working from home. Employees not only have corporate information stored on their personal devices, but they also generally have remote access to internal corporate resources.

The reasons why vishing has become more common

• People are actually at home to receive calls, giving threat actors more hours to connect with live targets.
• Everyone is on high alert for information about the pandemic, stimulus checks, unemployment compensation, ways to donate to charitable organizations, and other COVID-related topics, providing attackers with an endless supply of vishing social engineering options.

Cybercriminals conduct research and use personal information – the last four digits of a social security number. For example to build credibility and fool their victims into thinking they are speaking with legitimate sources.

Typically, cyber criminals obtain personally identifiable information in one of three ways:

• Social Media: Many social media profiles are not protected from public view. They serve as a treasure trove of personal information that can be used for building attacks. For example, listing your place of employment with an employee badge not only lets an attacker know where you work, but what the company badge looks like for replication purposes.“About You” sections of social media accounts often reveal personal information that can be used for password reset fields your favorite color, your dog’s name, or the city you were born. And detailed posts outlining work projects, professional affiliations, and technologies you’re using all help build a valid pretext scenario.
• Search engines: An individual’s name, address, date of birth, or marital status, and photo of the signature can often be found online via local government public records sites. Many people don’t realize how much personal information can be found via a simple online search. As a result, when an attacker uses things like the last four digits of their social security number, the town in which they live, or the names of their children, victims assume the person they are speaking to is a credible source, and they don’t think twice about divulging information that they would otherwise keep private.

• Password dumps: There has been no shortage of public data breaches that have resulted in extensive password dumps containing usernames, email addresses, and passwords of compromised accounts. Individuals often reuse passwords across different accounts, which makes it easy for attackers to hack their way in through “credential stuffing.” For example, a LinkedIn password and user email address exposed in a breach could be used to access bank or e-commerce accounts.Mitigations & Recommendations:
  • It is highly recommended to keep social media accounts private and use different passwords for different accounts. Password policies must be defined and communicated to employees.
  • Standard security controls should be implemented in the system. For example,

  Web filters, antivirus software, and endpoint detection and response solutions.

  • Enable multi-factor authentication. It can be effective in thwarting
  • It’s important to make sure remote workers and all employees know how to identify suspicious callers, just like they should know how to identify suspicious emails.
  • Supplementing employee education with the proper security controls is a good starting point to keep your staff and your business safe regardless of who’s on the other end of the line.