The voice on the other end of the line was beginning to sound desperate.
“Please, sir, we need to download a secure form to your computer so we can cancel your subscription. It is the only way.”
He was trying to convince me to give him remote access to my computer, so he could cancel a Geek Squad subscription I had never signed up for.
Whispering in Urdu, he confided to a colleague that I was not cooperating.
“Please,” he pleaded again, “we just need five to 10 minutes of your precious time to refund your money.”
After I finally hung up, he called me back—eight times in a row.
It was a classic hybrid voice-phishing (“vishing”) attack. It started with an email claiming I was about to be charged $302.42 unless I called a number listed at the bottom of the message. Had I been a naive user, it could have ended with my computer compromised and my credit card information stolen. And if I worked for a large enterprise, the ramifications might have been far worse.
Vishing attacks like this one were up 625% from 2021 to 2022, according to the most recent quarterly threat report from PhishLabs. They are now the second most common “response-based” attack, trailing only the classic Nigerian Prince 419 scam. In both cases, scammers use social engineering tactics, which employ psychological manipulation to persuade victims to divulge confidential information.
“Voice phishing can be more effective because people tend to let their guard down when they’re talking to someone,” says Roger Grimes, data-driven defense evangelist for KnowBe4, which offers anti-phishing training for corporations. “Social engineering accounts for 80% to 90% of all successful data breaches.”
Adapt and conquer
As organizations have gotten wise to the telltale signs of phishing attacks, attackers have adapted. In the spring of 2021, the Conti ransomware gang splintered into multiple groups and began adopting new strategies. One new vector of attack known as “BazarCall,” or “callback phishing,” followed the playbook outlined above: a bogus email designed to spur a phone call followed by a request for remote access. As a fake customer service employee chats up the caller, a remote attacker penetrates their network to steal information or deposit malware.
Callback phishing has entirely revolutionized the current threat landscape.
According to security research firm Advanced Intelligence Solutions, “callback phishing has entirely revolutionized the current threat landscape,” targeting a wide range of organizations, including a multinational weapons manufacturer, a major IT solutions provider, a multibillion-dollar technology company, and an NBA team. Nearly 40% of victims have annual revenue greater than $1 billion.
In August, Cisco offered a remarkably detailed description of a vishing attack on one of its employees’ personal Google accounts. Because the employee had enabled password syncing within a browser, the attackers were also able to gain access to the user’s Cisco credentials.
According to the report, the attacker then “conducted a series of sophisticated voice phishing attacks under the guise of various trusted organizations attempting to convince the victim to accept multi-factor authentication (MFA) push notifications initiated by the attacker.”
Eventually, the attempt to overcome MFA protections worked, allowing the attacker to log in through the corporate VPN. The hacker then began depositing remote access tools, escalating administrative privileges, moving laterally through the network, and stealing information.
All the while, Cisco’s security team was watching the attacker and observing the techniques used. In the end, Cisco says, no sensitive information was accessed and no business or supply chain operations were interrupted. The attacker attempted and failed to extort money from the company, then posted some nonsensitive files to the dark web.
Train in vain?
The average phishing data breach cost companies $4.7 million in 2021, IBM reports. Yet 86% of employees receive 30 minutes or less of security awareness training a month, according to Osterman Research. A recent report from SANS notes that three-quarters of security awareness professionals spend less than half their time actually teaching security awareness.
KnowBe4’s anti-phishing training consists of sending workers simulated phishing emails, identifying the up to 33% of people who always click the emailed links, and teaching them how not to be duped the next time.
Unfortunately, notes Grimes, the big telecoms won’t allow companies like KnowBe4 to make unauthorized voice calls to employees without their permission. So anti-vishing training can’t be conducted in the same way. (Knowing that a vishing call is coming kind of defeats the purpose.)
Despite the occasional barrier, education remains the most effective way to combat phishing, vishing, or smishing (SMS attacks), he says.
“You have to teach everybody to have a healthy level of skepticism for any message that contains two traits: It’s unexpected, and it’s asking you to do something new for that particular sender,” Grimes says. “Make sure you confirm that the message is legitimate before you do anything [a sender] asks you to do.”
It takes an army
Focusing attention on areas where your company might be most vulnerable is also a good idea, says Christopher Prewitt, chief technology officer for Inversion6, a cybersecurity risk management provider.
“A lot of companies try to protect everything equally without looking at the processes that are most important to the business,” he says. “How does money move within the organization? Who has access to it? How do you manage wire transfers? If you’ve got $300 million in the company treasury, maybe you need to set up a staging account to pay your bills, so you only lose a limited amount of money if someone gets scammed.”
A lot of this is Security 101, he adds. Limiting access privileges, identifying anomalous behavior, segmenting the most sensitive parts of the network, and implementing a zero-trust framework will all help limit damage from a successful attack. But nothing can replace eternal vigilance.
“I can’t stand behind 8,000 employees and tell them what not to click on,” says Prewitt. “I need an army of people who understand that they always need to be on alert and then try to partner with them.”