How can I protect my organisation from a Vishing attack?
As many organisations continue to operate remotely, there has been an increase in cyber-related attacks on employees working from home. Cyber criminals have taken advantage of this situation and employed various tactics to try and access private information.
There has been a particular increase in vishing-based attacks on homeworking employees that aims to gain access to their employer’s systems. Vishing can be described as the use of voice telephone calls to fraudulently induce individuals to reveal access credentials and personal information by using social engineering techniques, much like phishing emails.
The FBI and CISA (Cybersecurity and Infrastructure Security Agency) have issued joint prevention guidance to help employees reduce the risk of being victim to a vishing attack.
Key recommendations are provided for both organisations and users and these include:
- Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates.
- Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
- Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
- Actively scan and monitor web applications for unauthorised access, modification, and unusual activities.
- Consider using a formalised authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.
- Improve two factor authentication and one-time password messaging to reduce confusion about employee authentication attempts.
- Employ the principle of least privilege and implement software restriction policies or other controls; and monitor authorised user accesses and usage.
- Verify web links do not have misspellings or contain the wrong domain.
- Bookmark the correct corporate VPN internet address and do not visit alternative addresses on the sole basis of an inbound phone call.
- Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organisation. Do not provide personal information or information about your organisation unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the organisation they purport to be from.
- If you receive a vishing call, document the phone number of the caller as well as the domain that the individual tried to send you to and relay this information to law enforcement.
- Limit the amount of personal information you post on social networking sites. The internet is a public resource. Only post information you are comfortable with anyone seeing.
- Evaluate your settings. Sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
The full guidance document is available here.
If you are a Griffiths & Armour client that requires further detailed guidance on cyber risks and a cyber risk training system, please get in touch with your usual contact to get access to our online risk management platform, RMworks. Alternatively, you can contact Greg Street by submitting your enquiry below. Further information on RMworks is available here.