Beware! Phishing scam uses voice calls to 'trick' workers

Your employees could fall prey to this social engineering attack on the rise

Beware! Phishing scam uses voice calls to 'trick' workers

Calling up your colleagues directly has long been one of the most trusted methods of verifying a transaction request at work. If an email from a co-worker asking for sensitive data seems suspicious, the recipient should first double-check with the sender and seek clearance from senior team members by phone before even considering any request.

However, as investigators recently found, criminals are banding together and devising clever ways to manipulate even this tried-and-tested process. Hackers would allegedly call up employees directly in an attempt to mimic their colleagues and, from there, steal corporate or personal data by making the request appear legitimate. This social engineering attack is called voice phishing or “vishing”.

Read more: How well can your staff detect phishing attacks?

Last month, the US Federal Bureau of Investigation issued an advisory to employers worldwide about the latest tactic that evolved from email phishing attacks. Phishing scams typically lure recipients into clicking a malicious link, downloading a malicious file, or entering login credentials into a fake portal for criminals to capture the data and gain access to the employer’s network.

Vishing, on the other hand, doesn’t just rely on emails or text messages. Criminals have been going the extra mile by impersonating real employees during an actual voice call.

“During the phone calls, employees were tricked into logging into a phishing webpage in order to capture the employee’s username and password,” the FBI said.

After using the stolen credentials to break into the network, the attackers allegedly discovered they could further adjust the security privileges of other accounts. This gave them deeper access into the system and a greater chance of dealing “significant financial damage” on the company, the FBI said.

Read more: Never recycle old passwords, security experts warn

In another incident, hackers targeted a specific employee through the company’s VoIP/chat service and convinced the employee to enter their login details into a fake private network set up by the criminals. This led to a string of attacks against employees with “higher privileges,” the FBI said.

“The cyber criminals were looking for employees who could perform username and email changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee’s login credentials,” investigators reported.

How can employers prevent vishing attacks? The FBI recommends the following methods:

  • Use multi-factor authentication (MFA) which requires additional access codes or even biometric scans before granting access to the company’s computer system
  • Give new employees restricted access and establish a tiered privilege system based on an employee’s role, i.e. scope and sensitivity of data required for their tasks
  • Conduct a regular check of which employees have access to which data
  • Actively perform a network scan to detect possible breaches
  • Segment your network into one large network and multiple smaller networks to monitor data flow better
  • Provide administrators with two accounts: one with admin privileges for modifying the system and another for sending emails, deploying updates and generating reports

Recent articles & video

52% of HR leaders believe this is 2021's biggest challenge

How to deal with a co-worker who steals your ideas

The new corporate heroes: High demand skill sets inspired by the pandemic

In a pandemic, music is a lifeline

Most Read Articles

Disclosing mental illness: How should HR react?

Ontario in lockdown: What this means for businesses

'If you force me back to the office, I'll quit!'