Since the COVID-19 pandemic began, hackers have been trying everything they can to take advantage of stressed and distracted employees, those who are working at home and adjusting to a new reality.
We've seen attacks that aim to prey on those looking for cures, or those looking for monetary relief. The scope of attacks has been remarkable to witness.
A new one that's becoming increasingly popular? Vishing campaigns aimed at remote workers. Vishing—or voicemail phishing—plays on the same tactics used in traditional phishing scams, just changes the vector to the phone. You've likely received one of these calls—they often mimic your local area code.
And just like traditional phishers, vishers are ramping up their intensity and effectiveness. One group, according to a report, is focusing on financial, telecom and social media companies with their vishing attacks.
It works like this:
The malicious actors begin with a series of calls to employees working remotely. They'll explain that they're calling from the company's IT department to help with issues surrounding the company's VPN.
Their goal? Get the employees to give up their credentials—VPN and otherwise—over the phone, or input them in one of the hundreds of phishing sites they've created. Here's one example:
Many of these calls tend to focus on new hires, a perfect target given that they are onboarding remotely. Sometimes, these phishers will even create LinkedIn profiles that say they work for the company. If you've never been in the office, you have no real way of knowing that they aren't real.
The phishing pages look just like an MFA page since they request a one-time code. Once they get in, they try to take over internal tools and try to get account and financial information.
Though it's not clear if this group was involved, vishing was at the heart of the Twitter scandal. Employees gave up internal information over the phone. And it's growing in usage. According to Wired, at dozens of companies have been targeted successful using the same tactics. The FTC has found that, thus far in 2020, there have been over 128,000 fraud attacks over the phone, costing victims $108 million.
Many of the tactics that have surged during the pandemic aren't new; yet the ways that they are being used to target vulnerable employees is, and it means that employees and security providers have to be on constant alert for the next big thing.