“Vishing” may sound familiar, but unless you are a fraud investigator, you probably have not encountered it. Unfortunately, that could change soon. To foil a scam that increasingly takes advantage of remote workers, learn what vishing is and how your business can prevent it from infiltrating your network.
Clarifying Terms
Vishing is not the same as ‘phishing.’ The latter is a type of social engineering fraud that involves email or text messages designed to trick someone into revealing sensitive personal information. Or it may target employees to gain access to worker and customer data, as well as intellectual property.
Voice vhishing (or vishing) scams, on the other hand, involve phones rather than email or text messages. Vishing schemes often are more aggressive, elaborate, and personalized than traditional phishing scams. Therefore, they can be harder to detect.
A Look Behind the Scam
Vishing scams attacking businesses have grown as more employees have started working from home. Typically, fraudsters begin by researching employees online. Armed with such information as an employee’s name, position, and duration of employment, the perpetrator poses as a member of the employer’s IT department, claiming they need to install security updates on the employee’s laptop.
Believing they are giving remote access to a coworker, victims enter their login information into a virtual private network (VPN) set up by the perpetrator. This includes any two-factor authentication or one-time passwords. It is an honest mistake by the employee that gives the visher real-time access to the company’s actual VPN and its proprietary information.
Turn a Weakness into a Strength
Most vishing schemes exploit VPN weaknesses. So, if your remote workers access your network through a VPN, be sure to:
- Restrict VPN connections to managed devices only
- Limit VPN access hours, if possible, to mitigate after-hours access
- Use domain monitoring to track changes to the company’s domains
- Actively scan and monitor Web applications for unauthorized access and modification
- Employ the principle of least privilege (which restricts access to only those privileges needed to perform essential job functions)
Consider implementing a formalized authentication process for employee-to-employee phone communications. For example, you might require a second factor to authenticate the phone call before discussing sensitive information.
Train Your Employees
Knowledgeable employees also can help identify suspicious activity. So, be sure to add vishing to your fraud training handbook. Contact us for help if you suspect fraud has attacked your business.