Interpol recently revealed an increase in “vishing” fraud. During these campaigns, hackers pretended to be institutions in order to trick victims into providing their login details. That finding stems in part from 2,000 arrests in a crackdown on social engineering racketeering in two months this year. Whether it is at the level of the company or the user, it becomes essential to put in place the right measures to keep their personal information safe from any compromise.
Vishing is an attack vector that uses a telephone call, and more particularly VoIP (Voice over Internet Protocol) because of its low cost. In this scenario, cybercriminals present themselves as trusted, and sometimes high-ranking people, such as a CEO, in order to extract financial or personal information, passwords or account numbers for example, or to convince a user to download malicious software. In fact, the purpose of a vishing attack is the same as that of a phishing attack. However, it uses a psychological power of persuasion that allows hackers to obtain the trust of an individual, instead of a fraudulent link, which makes it all the more formidable.
Deploy a prevention policy
The first step in protecting against this type of compromise is to proactively develop an anti-vishing strategy, with awareness being at the heart of it. Employees and partners should understand that calls are inherently insecure, and should be handled with caution. To provide a preliminary layer of defense, a company can implement several security devices. An application that discerns the veracity of the call is particularly beneficial. Indeed, hackers can easily create false numbers, through VoIP options. Downloading a tool that can detect them and check if they are connected to a standard phone is a good way for the organization to prevent any scams.
Education on good practices to follow must also become a priority. At the employee level, this awareness is beneficial, as it helps them to identify attack attempts, react and report them in time. For individuals, it is important to avoid sharing any personal information by SMS or voice call, especially when the identity of the interlocutor has not been verified. To protect themselves, they can hang up, then call an official number with another phone to certify that the caller’s request is legitimate. Indeed, even if the individual contacted ends the call, the fraudster can divert the next one, because the line remains open. In particular, the cybercriminal can impersonate a trusted entity, such as a bank or a government organization, in order to steal sensitive data.
Companies should also set policies governing how caller IDs are verified and what types of information may be revealed, when, by whom, and to whom. In addition, it is important that employees know to whom to submit each request and what is the procedure to follow when in the event of a suspected attack or unusual event. For the most critical requests, such as a financial transaction, the implementation of a strategy which requires several validations before a transfer and a secure authentication to the systems for all the people concerned, is essential. Moreover, to guarantee an additional level of security, an organization has every interest in deploying a zero trust approach. This requires that the identity of every device and every user be strictly verified, whether or not they are inside the network perimeter, to grant access to corporate resources. To meet the challenge in the face of these cyber threats, organizations must consider the large-scale deployment of strong authentication, as it represents one of the pillars of this zero trust strategy.
Strong authentication, the cornerstone of effective cyber defense
It helps to understand what vishing is and to stay vigilant about it, but education is not enough. Social engineering attacks such as vishing are increasingly sophisticated, and vulnerabilities remain a problem for employees who may be targeted.
Therefore, the deployment of strong multi-factor authentication (MFA), across different critical devices and applications, is beneficial for increased security. MFA also offers a better user experience, which facilitates its adoption at the enterprise level, unlike complex point solutions that only protect a category of individuals.
To qualify as “strong”, authentication must be based on multiple stages of identity verification and not on shared secrets alone, such as passwords. These connection phases, which once passed confer the requested access, can for example be based on a biometric fingerprint, facial or even hardware security keys, impossible to hack remotely. The more layers of defense networks have, the more robust security they will have against vishing, as they provide an additional barrier for the cybercriminal.
As the means of attacks multiply, and especially vishing attempts, data protection must become a priority. To do this, the deployment of security devices and user awareness of best practices are optimal solutions. Above all, they will make it possible to report and block any approach by the cybercriminal. The sooner an organization is informed, the sooner it can respond, ensure business continuity and safeguard its systems.