As if 2020 hasn’t caused enough hardship and headaches for employers already, the FBI and U.S. Cybersecurity Infrastructure Security Agency (“CISA”) recently issued a joint Cybersecurity Advisory Alert warning employers about the rise in voice phishing, or “vishing,” scams targeting remote workers.
With the mass shift to large-scale work-from-home environments, cybercriminals and hacker groups are employing increasingly creative tactics to take advantage of weakened security protocols and overly trusting employees. Before the pandemic and the sudden increase in remote workforces, vishing scams were not uncommon. However, they were largely targeted at vulnerable individuals and/or via personal attacks, such as a phone call seeking bank or credit card account information for a “compromised” account, calls from the “IRS” to verify an individual’s Social Security number, or targeted Medicare and Social Security scams.
Since July 2020, vishing scams have evolved into coordinated and sophisticated campaigns aimed at obtaining a company’s confidential, proprietary and trade secret information through the company’s virtual private network (“VPN”) with the help of the company’s own employees. VPNs are widely used in the current telework environment and intended to be a secure platform for remote employees to log into their company’s network from home. Many companies use VPNs because it not only provides a secure remote connection, but also allows the company to monitor employees’ activity on the network and supposedly detect security breaches.
But, it is difficult to detect a security breach when it comes through your employees’ own keystrokes. According to the FBI and CISA, these vishing scams follow a common course of action. To start, the cybercrime group identifies a company target and exhaustively researches its workforce. The attackers compile “dossiers” on employee victims based on a “scrape” of their virtual social media presence. From an individual’s various social media profiles, the attackers are able to learn the employee’s name, location, place of work, position, duration at the company, and sometimes even the employee’s home address.
Next, the cybercrime group or hackers register a domain and create phishing webpages duplicating a company’s internal VPN login page. These phishing webpages also have the capability to capture two-factor authentication or one-time passwords, mirroring the company’s own security protocols.
Then, an attacker contacts an employee on his or her personal cell phone and poses as an internal IT professional or help desk employee with a security concern. The “visher” gains the trust of the employee by leveraging the information compiled on that employee in the research phase and convinces the employee that he or she needs to login into a new VPN link to address a security issue or other IT need.
The attacker sends the unsuspecting employee a link to the fake VPN page, which looks just like the company’s own VPN login site. The employee inputs his or her username and password into the domain and clicks the login link. If applicable, the employee also completes the two-factor authentication or one-time password request. Thus, with a single click on the VPN link, the attacker has the employee’s entire suite of credentials. Attackers use this access to mine the company’s databases, records and files to obtain information to leverage against the company for ransom or even in other cyberattacks. As a result, the company’s confidential, proprietary and trade secret information is up for grabs, leading to substantial ransom costs, forensic fees and costs, employee and customer notice obligations, and potentially significant liability for security breaches.
With teleworking continuing into the foreseeable future, employers must think critically about their security protocols and take steps to prevent employees from unwittingly walking into a vishing (or other phishing) trap. The agencies’ Advisory provides organizations with “tips” to protect against these intricate attacks, including:
- Restricting VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN
- Restricting VPN access hours, where applicable, to mitigate access outside of allowed times
- Employing domain monitoring to track the creation of, or changes to, corporate, brand-name domains
- Actively scanning and monitoring web applications for unauthorized access, modification, and anomalous activities
- Employing the principle of least privilege and implementing software restriction policies or other controls; monitoring authorized user accesses and usage
- Potentially deploying a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed
Depending on the organization, not all of the Advisory’s tips are feasible. But all companies should heed the agencies’ warning and continue to critically assess security protocols, VPNs, and network access to protect their confidential, proprietary and trade secret information.
Separately, companies should continue to engage and train employees on proper network usage, security concerns, and when to call a secure IT number. Cybercriminals will continue to take advantage of remote employees. Companies should regularly remind employees to be suspicious of any request for their logins and credentials (or other personal information) and remind employees where to go and whom to contact if they have any security concerns.