Last week, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint release cautioning the public of a rise in ‘vishing’ or voice phishing attacks on organisations. The release indicates that this tactic was employed more prevalently from mid-July, and is the result of a “mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and elimination of in-person verification”.
Through vishing attacks, cybercriminals ascertain the credentials of employees and use this as a means to mine for further sensitive data from an organisation’s database, utilising this data for other attacks.
The bad actors would register domains, create phishing pages which resemble the company’s VPN login page and capture two-factor authentication or one-time passwords. They would also collect “dossiers on the employees at specific companies using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” They would then call victims and, often, impersonate the company’s IT help desk using the information they have to sound more believable.