Most of us are all too familiar with vishing, the scam voice calls that offer to erase your credit card debt, to extend your automobile warranty, to get you to donate to that worthy cause you’ve probably never heard of, to qualify for insurance you never knew you could qualify for, and so one. They’re a tiresome version of the old snake-oil come-on to a con game, and everyone would like to think they’re immune.
But, of course, we’re not immune, and people still fall for them. In an advisory published Friday, the US Health Sector Cybersecurity Coordination Center (HC3) warned that vishing is on the rise, and that the healthcare center needs to take particular note. ”Voice phishing, also known as vishing, is the practice of eliciting information or attempting to influence action via the telephone,” the Center said.
“Over the past year, HC3 has noted a marked increase in these attacks across all sectors. Social engineering techniques continue to remain successful in providing initial access to target organizations, and the HPH sector should remain alert to this evolving threat landscape with an emphasis on user awareness training.”
And it’s not just gullible individuals who are falling for the vishing. It’s become convincing enough to swindle large and sophisticated enterprises. “Recently, a large U.S. company fell victim to a cyber attack that leveraged sophisticated phishing techniques involving phone calls to gain access to the victim organization.”
The scams themselves use advanced but familiar techniques like caller spoofing. They have been observed using even more advanced and hitherto seldom encountered techniques like voice-changing software. Some of the most sophisticated threat actors, HC3 says, aren’t the grubby con artists one might expect, but rather advanced persistent threats, APTs, that is, the intelligence services of well-resourced nation-states.
“HC3 assesses with high confidence that threat actors will continue to evolve their tactics, techniques, and procedures (TTPs) when conducting phishing attacks due to prior success in gaining initial access,” the alert says, adding that even the humble and familiar smiley face can serve the purposes of espionage. “Security researchers recently found a way to use just a series of emojis to deliver an exploit to a target. While this method requires specific circumstances to occur for the emoji exploit to work, this demonstrates the constantly evolving threat landscape and difficulty in detecting malware.”
There are five marks of vishing that HC3 advises organizations to be aware of:
- “Suspicious emails claiming a free trial has ended for a service for which the recipient never signed.
- “Unexpected emails containing only the name, address, and phone number of an unrecognized organization.
- “Individuals asking callers to navigate to a website to cancel a subscription they did not sign up for.
- “Emails from a Gmail account with the name of a high-level individual in medical research.
- “Phone calls or emails pretending to be from a government entity, such as a Department of Health or major technology company.”
Vishing is obviously now something that not only poorly informed private citizens should fear. It’s become a threat to the enterprise. New school security awareness training can help your employees see the imposture for what it is.
HC3 has the story.