New Vishing Attacks Pretend to Be Internal IT to Scam Users from Financial Firms Out of Their Credentials

vishing attackDozens of banks, cryptocurrency exchanges, and web hosting firms have experienced vishing attacks aimed at eventually stealing cryptocurrency from high net-worth customers.

This attack sounds very much like the recent Twitter vishing attack that left many high-profile Twitter accounts in the control of cybercriminals – albeit for a short period of time. But this one comes with a twist. In the Twitter attack, the accounts of high-profile individuals such as Elon Musk and Joe Biden were compromised using vishing. But in this most recent case, vishing attacks are being used in a much longer-tailed campaign with customers of the initially compromised organizations as the final target.

The attackers create detailed intelligence on their victim organizations via LinkedIn and other online service to create org charts. They then targeted individuals that are new to the company, posing as IT staff to trick them out of their passwords to internal systems. The eventual goal appears to be identifying customers of those compromised organizations that have a high net-worth in order to launch a second phase of the attacks where those customers are attacks – likely posing as the initial victim organization – to gain access to their crypto currency accounts.

It’s a material amount of time invested, but the potential payoff could be huge. And it all starts with some simple social engineering over the phone – “Hi! This is Stu from IT!”

Organizations can easily thwart these vishing attacks with Security Awareness Training. Users that are educated to be watching for any interactions via email, web, or phone that are out of the ordinary (You call IT; they never call you!), will be suspicious of such interactions and not fall for them. Cutting off an attack at this step renders the rest of the attack useless.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews