A voice phishing (vishing) scam that targets employees working from home is making the rounds. Learn how this scam works and what your company can do to avoid becoming the next victim.
The US Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning businesses about a voice phishing (vishing) scam that targets employees working from home. Cybercriminals are using this scam to steal virtual private network (VPN) login credentials, which they use to access company networks and steal data or money. By understanding how this VPN vishing scam works, you can better protect your business.
How the Scam Works
With the help of companies that have been victimized, the FBI and CISA have pieced together how the VPN vishing scam typically works. The cybercriminals begin by making preparations. After choosing a business to target, they register a domain using the company’s name. They follow naming schemes like
- support-[company]
- [company]-support
- ticket-[company]
- employee-[company]
where [company] is the name of the targeted business. The scammers then duplicate the target company’s VPN login page, paying attention to details. For example, if two-factor authentication is used, that feature is included the spoofed VPN login page. The scammers even obtain a Secure Sockets Layer (SSL) certificate so that it is an HTTPS site. This is a common trick of the trade — more than three quarters of all phishing sites are HTTPS sites. Cybercriminals know that some people assume a site is safe when they see the “https” designation and the accompanying padlock icon in their web browser’s address bar. However, the “https” designation simply indicates that any data sent between the browser and the website is encrypted. It does not signify that the site is legitimate or safe.
Next, the scammers compile information on the target company’s employees, including their names, home addresses, personal phone numbers, company positions, and job tenure. This is accomplished by scouring public profiles on social media sites like LinkedIn and Facebook, taking advantage of publicly available background check services, using recruiter and marketing tools, and conducting other types of research. From this information, they are able to glean which employees telecommute to work. The scammers also use this information to personalize the conversations they will have with the remote employees.
After the preparations are done, the vishing begins. At first, the scammers call the telecommuters on their personal phones using unattributed Voice over Internet Protocol (VoIP) numbers. Besides making sure they have the correct phone numbers, the cybercriminals often try to learn more information about the company, such as its hierarchy or the business lingo used. The latter is important. When scammers use the terms and acronyms that the employees are accustomed to hearing, the employees are more apt to believe the scammers and do what they ask, according to social engineering experts.
The scammers then carry out the main vishing attack. In this attack, two cybercriminals work in tandem. One of the scammers calls a remote worker, pretending to be another employee such as a member of the company’s IT help desk. The impersonator often uses caller ID spoofing to help convince the telecommuter that the call is legitimate. Similarly, the impersonator sprinkles tidbits of information about the remote employee and the company into the conversation to gain the employee’s trust.
At this point, the scammer starts spinning a story designed to get the remote worker to enter his or her credentials into the spoofed VPN login page. If the remote employee falls for the scam, the second cybercriminal immediately enters the stolen credentials in the real VPN page. That way, if a two-factor authentication or one-time password system is being used, the cybercriminal will be able to get past that layer of protection. (Typically, the one-time codes generated for two-factor authentication and one-time passwords are only good for a short period of time.) Once the cybercriminal gains access to the company’s network through the VPN, he or she carries out other cyberattacks, such as stealing data to sell on the dark web.
If the remote worker does not fall for the scam, the two cybercriminals simply move on to a different telecommuter in that company. Unsuccessful attempts help the scammers refine their social engineering approach, according to cybersecurity researchers.
It is important to note that while this is the typical way cybercriminals carry out the vishing scam, variations exist. For example, in a few cases, the FBI and CISA found that two-factor authentication codes and one-time passwords were obtained through SIM swapping rather than the spoofed VPN site. In SIM swap scams, hackers hijack a victim’s mobile phone by tricking the mobile carrier into activating a new SIM card for it.
How to Avoid Becoming a Vishing Victim
There are many ways companies can protect themselves from the VPN vishing scam and similar attacks. Possible measures include:
- Restrict VPN connections to managed devices only using hardware checks, installed certificates, or some other means. That way, user input alone is not enough to access a company’s VPN, according to the FBI and CISA.
- Implement two-factor authentication and use a physical security key as the second form of identification. USB-based security keys are inexpensive and not vulnerable to this type of vishing scam.
- Make sure that potentially sensitive information is not publicly available on the company’s website or social media pages. For example, employees’ job titles should not post on the company’s website or social media pages.
- Implement a social media policy. This policy should discuss the types of company-related information employees should avoid posting on their personal social media pages.
- Use a domain monitoring service. Domain monitoring services look for and take down spoofed sites.
- Create and distribute a shortcut to the company’s VPN page. Alternatively, ask remote employees to create a bookmark for it in their web browsers. Using a shortcut or bookmark eliminates the chance they will accidentally access a spoofed VPN page if they make a typographical error when manually entering the VPN page’s URL in a web browser. When discussing why employees should use the shortcut or bookmark, tell them not to visit any other VPN page based solely on a phone call.
- Educate employees about vishing. Conduct a training session designed to let employees know what vishing is and give examples of vishing scams. During this session, tell employees to be suspicious of unsolicited phone calls, especially if the caller is asking them personal questions or questions about the company (e.g., its structure or networks).
Develop a Plan of Action
The specific measures that businesses should take to protect against the VPN vishing scam will depend on several factors, such as their current authentication system, which VPN they use, and how many employees telecommute to work. We can make specific recommendations for your company based on your business environment and IT operations.
VPN blue flickr photo by Infosec Images shared under a Creative Commons (BY) license
