Watch Out For ‘Vishing’ Attacks
”Vishing” attacks – phishing attacks carried out using voice rather than text – are on the rise. Insurance regulators are growing concerned.
Last Friday the New York State Department of Financial Services (NYSDFS) issued an alert to the banking and insurance entities it regulates. The message: Be on the lookout for these kinds of attacks. Although NYSDFS has no jurisdiction over Connecticut insurance businesses, its advice is worth heeding.
In a vishing attack, attackers are calling people and pretending to be from the company’s IT help desk. They’ll even spoof phone numbers so they look legit on caller ID before convincing victims to click on dodgy links. Those links take system users to fake login pages that look just like their real systems. Once someone types in their username, password, and even their multi-factor code, the attacker essentially has the keys to log into corporate systems.
Vishing isn’t brand new, but criminals are using it more often — especially against financial services firms — and it’s working too well. If attackers trick employees into sharing credentials or MFA codes, they get remote access and can do all sorts of damage.
Here are some things you can do to protect your agency from vishing attacks:
- Set up solid identity checks so personnel don’t rely on caller ID alone when someone claims to be IT.
- Train employees on social engineering, especially this voice trick. This YouTube video explains it well.
- Regularly review who has access to what, and make sure permissions aren’t too broad.
- Check your multi-factor authentication (MFA) settings — make sure only authorized people can enroll devices or change settings.
- Monitor for strange login activity and have alerts in place so you can spot trouble fast.
And if you do think you’ve been hit, report it as soon as possible to the Connecticut Attorney General and any other relevant authorities such as the Federal Bureau of Investigation (FBI).
In short, vishing might sound old-school; it’s basically phone-based phishing. However, it’s evolving, it’s real, and regulators are worried about it. We suggest you educate yourselves and your staff on this threat and tighten defenses now.
Topics
