Vishing – a Growing Tradecraft

Recent reporting has shown an increase in social engineering campaigns for Vishing “voice phishing.” These attacks manipulate computer users into giving out confidential user information via a phone call. In most cases, the attackers use stolen credentials to mine the victim company databases for their customers’ personal information to leverage in other attacks with the end goal of monetizing the access.

Although these tactics have been in use since the early 2000s, the sophistication of these campaigns has evolved into actors using a combination of open-source research on social media platforms, recruiter and marketing networks, and publicly available background check services. Information collected often includes name, home address, personal mobile number, a position at a company, and duration at a company.

Once a company has been targeted and victim dossiers created, actors implement social engineering techniques with one-on-one phone calls and custom domain phishing sites to steal VPN credentials from employees.

Businesses are encouraged to refresh all network users’ security awareness and training, including a review of protocols set in communicating network related issues or updates. Further steps to be considered for multi-factor security may include a USB-based device that implements authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process only by inserting the USB device. Security managers and key cybersecurity stakeholders within each organization must remain aware of the evolving threat landscape to implement new technology defenses.