If you own a phone, you have probably received a shady call from an unknown number trying to obtain your private information. What you may not know is that these calls are becoming increasingly harmful for businesses.
What is a Vishing Attack?
Vishing attacks (or voice phishing attacks) typically involve a scammer seeking to gain confidential information by pretending to be someone else.1 For example, a scammer may introduce themselves as someone from a bank, the government, or a company's IT department. The goal of a typical vishing attack is to obtain personal information that will unlock further opportunities, such as the ability to steal an individual's money or identity or deploy a ransomware attack on a company's computer system.2
The
Vishing on the Rise
In recent years, vishing attackers have refined their methods to use increasingly sophisticated tools to convince their victims to divulge information. This includes manipulating their caller ID to display a legitimate number and voice cloning, which uses machine learning algorithms and voice changer technology to mimic a trusted individual's voice.4
In
Prevention and Mitigation Measures
To better protect you and your company from these threats, agencies such as the
-
Use built-in smartphone spam protection features;8
- Attempt to block automated calls or calls from unknown numbers; and
- Exercise caution when faced with suspicious behavior such as:
- callers seeking sensitive information;
- scare tactics or high pressure from callers;
- offers that sound too good to be true; or
- signs that are uncharacteristic of legitimate corporations and government agencies, such as calls with poor audio quality, or callers with a robotic tone or unnatural rhythm to their voice;9
Companies should train staff on vishing attacks, new kinds of phishing campaigns and how to respond if targeted.10 It is also good practice to periodically test employees with simulated vishing attacks, to identify when further training or awareness campaigns may be needed. However, since it is impossible to reduce the risk of a successful vishing attack entirely, it is key for companies to use a layered security approach. In particular, companies should consider implementing the following mitigation measures:
-
Implement multi-factor authentication (MFA) for accessing employees' accounts in order to minimize the chances of an initial compromise.11 One-time passwords are preferred over push notifications (which are sometimes accepted due to MFA fatigue, without knowing the source of the request);12
- Grant new employees access on a least privilege scale;13
- Actively scan and monitor networks for unauthorized access or modifications;14
- Utilize network segmentation to break up one large network into multiple smaller networks to better control the flow of network traffic;15 and
- Issue two accounts to administrators: one account with admin privileges to make system changes and another account for email, deploying updates, and generating reports.16
Footnotes
1.
2.
3.
4. What is Vishing, s.v. "How does a vishing scam work".
5.
6.
7.
8. What is Vishing, s.v. "Tips for spotting and avoiding vishing scams".
9. Don't Take the Bait, s.v. "Something may be phishy if".
10. What is Vishing, s.v. "Tips for spotting and avoiding vishing scams".
11. FBI Private Industry Notification, at page 2.
12. Vishing on the Rise, at page 2.
13. Supra Note 11.
14. ibid
15. ibid
16. ibid
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
©
Mr
Tel: 4168657000
Fax: 4168657048
E-mail: info@mcmillan.ca
URL: www.mcmillan.ca
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source