Imagine this scenario:
While working from home, you receive a call. The person on the other end says they’re calling from IT. It’s come to their attention that the recent firewall upgrade is blocking employees from accessing the network through the VPN. To resolve the issue, they’re going to have to reset everyone’s user profiles.
The situation strikes you as odd, but they mention speaking to your colleague, who they refer to by their nickname. When you ask why you’ve never met them in the office, they explain the IT Manager brought them on recently to help with the work-from-home transition when COVID-19 hit. Makes sense. You remember hearing that they were posting a couple of contract positions online.
As you reflect on how you never saw a new hire announcement, they bring up the news that your team had recently signed a new client — an achievement you’re particularly proud of since you helped wrap up the deal. The news hadn’t been made public yet, so surely they had been a part of last week’s quarterly update call on Zoom.
How it happens
The caller tells you they need to walk through the login process. They bring your account up to ensure the information has been carried over properly. You trust the process. It sounds legitimate.
They confirm your VPN username and ask you to read back your password. “Oh, that’s not what we have in the system,” they tell you. “I can either assign you a new password or just set it back to the one you’re using. That might be easier for you to remember, plus that password is stronger.” Knowing this call is already making you late for your next Zoom meeting, you agree and quickly read it back to them one last time. They tell you everything looks good, you sign back onto the VPN with no issues and continue with your day.
Two months later, your company sends out a panicked email notifying all staff that the organization’s server has been compromised. Soon, you’ll find out that you are the reason why it happened.
What is voice phishing?
By now, most people have had a voice phishing (or ‘vishing’) attack attempted on them, whether that be a phone call from someone claiming to be your bank, Microsoft or Revenue Canada to let you know you’re a part of a criminal inquiry. (Hint: here’s a list of what the Canadian government will and will never do.) All three instances are examples of voice phishing: when a caller tries to get you to disclose information — either personal or professional details — to aid in their hack.
Just as with email phishing, the scammer likely already knows something about you. They could mention the weather in your city, your colleague by name or even congratulate you on a recent promotion you received — all details which can be easily found through your Facebook or LinkedIn page. This social engineering is used to make you feel at ease and let your guard down.
Work-related voice phishing calls are on the rise
According to the Canadian Anti-Fraud Centre, voice phishing has been on the rise since the beginning of the COVID-19 pandemic. In the first seven months of 2020, the centre received 23,655 reports tied to telephone solicitations. That’s on track to nearly double compared to 2019, when it received 24,835 reports for the whole year.
Because of the pandemic, there has been a major disbursement of employees working from home — many for the first time. Despite IT teams rushing to get all employees a laptop and access to a VPN to continue working, many organizations failed to provide one critical step: additional cyber security training that caters to the new remote work setup. This shortcoming has led schemers to target both new hires who are unfamiliar with the organization’s IT processes and those who work for large corporations and likely have never met the security team.
How to recognize the red flags of vishing attacks
Anytime an unknown caller asks for information from you, be on high alert. Here are a few of the most common warning signs:
If they ask you to share your password
A legitimate IT team will never ask you to disclose your password over the phone. If an issue regarding login credentials should arise, they will send you a link to reset your password yourself.
If they ask you to read a two-factor authentication code
Many accounts now require two pieces of evidence (factors) for authentication to login or make changes to your credentials. If anyone ever asks you for the code that’s on your authenticator app, dongle or that’s been sent to your phone via SMS or alternate email, do not read it to them.
If they ask to take control of your screen
While screen sharing is a common method of troubleshooting issues, be concerned if they ask to take control of your computer. Always verify who you’re speaking to (more on this below) before granting access, and carefully watch what they’re doing the entire time. That means no checking your email or playing on your cellphone until the “update” is done.
How to protect yourself from voice phishing
Lastly, here are six ways to help keep you and your organization safe from voice phishing:
1. Don't answer calls from unknown numbers.
Let it go to voicemail. Sophisticated hackers can display company names as their caller ID which may be tempting to answer, however your safest bet is to only answer calls from known contacts. If you do happen to answer, ask if you can call them back. During this time, work to verify that the caller is who they claim to be.
2. Verify their identity.
Look up the person’s name in your company’s employee database. If your organization uses an instant messaging tool like Teams, Slack or Skype for Business, shoot them a quick message. If they are the person who tried reaching out, they’ll be able to verify this. If they’re confused about your message, that’s a major red flag that may indicate you’re dealing with an imposter.
3. Ask them to send you an email.
If you’re unable to reach out via instant messenger, ask them to send you an email from their work account so you can verify their role. While this request may seem silly, if they are a legitimate IT employee, they’ll appreciate your skepticism.
4. Engage with your IT team.
If you’re unable to verify the person’s identity with any of the above steps, reach out to your IT team directly to confirm this call was warranted and approved before proceeding.
5. Don't overshare.
As nice as it might be to have a caller take interest in how your day is going or ask questions about your job, keep your guard up. Only answer questions you would feel comfortable disclosing to someone outside of your organization until you’re able to confirm the caller’s identity.
6. Never stop learning.
Voice phishing attacks are becoming more sophisticated which means these schemes will continue to become more challenging to distinguish. Keep up to date on cyber security news to stay in the know and encourage your team to do the same. Corporate online safety training is also a must.
If a call gives you pause, trust your gut. To learn more about how you can keep you and your organization safe, check out the related articles below.
You may also be interested in...
How secure are your “private” messages? Find out how your mode of messaging measures up.
Learn why there is a concerning surge in ransomware attacks triggered by opening email attachments, plus three tips to stay safe online.