Be Careful. There Might Be a “Visher” on the Line
“Vishing” may sound familiar, but unless you’re a fraud investigator, you probably haven’t encountered it. Unfortunately, that could change … soon. To foil a scam that increasingly takes advantage of remote workers, learn what vishing is and how your business can prevent it from infiltrating your network.
Vishing isn’t the same as “phishing.” The latter is a type of social engineering fraud that involves email or text messages designed to trick someone into revealing sensitive personal information. Or it may target employees to gain access to worker and customer data, as well as intellectual property.
Voice vhishing (or vishing) scams, on the other hand, involve phones — rather than email or text messages. Vishing schemes often are more aggressive, elaborate and personalized than traditional phishing scams. Therefore, they can be harder to detect.
A Look Behind the Scam
Vishing scams attacking businesses have grown as more employees have started working from home. Typically, fraudsters begin by researching employees online. Armed with such information as an employee’s name, position and duration of employment, the perpetrator poses as a member of the employer’s IT department, claiming he or she needs to install security updates on the employee’s laptop.
Believing they’re giving remote access to a coworker; victims enter their login information into a virtual private network (VPN) set up by the perpetrator. This includes any two-factor authentication or one-time passwords. It’s an honest mistake by the employee that gives the visher real-time access to the company’s actual VPN — and its proprietary information.
Turn a Weakness Into a Strength
Most vishing schemes exploit VPN weaknesses. So, if your remote workers access your network through a VPN, be sure to:
- Restrict VPN connections to managed devices only,
- Limit VPN access hours, if possible, to mitigate after-hours access,
- Use domain monitoring to track changes to the company’s domains,
- Actively scan and monitor Web applications for unauthorized access and modification, and
- Employ the principle of least privilege (which restricts access to only those privileges needed to perform essential job functions).
Consider implementing a formalized authentication process for employee-to-employee phone communications. For example, you might require a second factor to authenticate the phone call before discussing sensitive information.
Training Your Employees
Knowledgeable employees can also help you identify suspicious activity. So be sure to add vishing to your fraud training handbook.