by Brian McDonald, Security Officer, Mutare, Inc.
Who would have guessed that, in 2022, the humble phone would become a favorite weapon for cybercriminals intent on infiltrating high-profile organizations in order to disrupt operations, embed ransomware news advance extortion schemes, and steal customer data?
Just ask Twitter, Twilio, Cisco, Robinhood and Uber. Despite the technological sophistication of their own offerings, all fell victim to damaging data breaches perpetrated by criminal agents whose point of entry was through a simple phone call. This emerging threat vector has come to be known as “voice phishing” or simply, vishing.
Obviously, there is nothing new about scam calls. However, voice phishing has steadily evolved into a criminal artform.
Most commonly, the attack is perpetrated by an adversary, either working alone or as part of an organized cybercriminal gang, who first seeks out vulnerable human targets through data mining and reconnaissance calling.
Once a connection is made, the impostor gains trust through psychological manipulation (social engineering) in order to extract protected information or account login credentials.
Sometimes the call comes on the heels of a related email notification or text message. Other times an email or text may include a call-back number that connects the victim to a call center manned by co-conspirator agents trained in social engineering techniques.
In all cases, the goal is the same: to lower the resistance of the victim through the power of the human voice connection.
Employees, unlike consumers, cannot simply ignore calls from unknown sources, which makes them particularly vulnerable to socially engineered manipulation.
In fact, this recent study showed that more than 37% of vishing attempts actually will succeed at extracting the desired action from unsuspecting human targets. When combined with a phishing email (hybrid phishing/vishing), the success rate rose to 75%.
2022 saw a startling 550% rise in reported enterprise vishing attacks that affected a reported 70% of all organizations, with several factors fueling this sharp acceleration.
First, impostors have broadened their access to the tools of deception thanks to digitalized public sources, unprotected social media accounts, and the vast repository of stolen information found on the Dark Web. Some may add deep fake voice manipulation technology to further their deceit.
And, while the transition from analog calling to Voice over Internet Protocol (VoIP) over the past decade has enabled high quality, low cost, global voice communications and collaboration, it has also super-charged the ability of nefarious criminal agents, using auto-dialers, pre-recorded messages, caller ID spoofing, generous VoIP bandwidth and cheap, untraceable overseas call centers, to reach thousands of intended victims with little effort, expenditure, or risk.
As with other forms of cybercrime, financial reward is the driver behind most vishing attacks. But not always. The Lapsus$ vishing gang, for instance, openly brags about their hacks which have included Uber, Cisco, Microsoft, and others, posting screen grabs on social media as proof and then leaking parts of their stolen data to the press.
While dealing with the financial damages of these attacks, their victims must also deal with the brand damage that results from a public outing of a security breach (because, let’s face it, enterprises are loath to admit they’ve been hacked unless forced to).
In other words, organizations that think they might be able to quietly cover up a data breach are facing the reality, and potential punitive damages, of a new kind of adversary who prefers to publicize, rather than hide, their participation in criminal activity.
So why, with the nearly $172 billion in expenditures put forth by companies to secure their IT infrastructures and digital networks, is the threat of voice phishing so rampant?
The answer is two-fold:
- Cybercriminals have discovered that humans are far easier to crack than firewalls.
- Protection of human endpoints from criminal contact via the phone has fallen under the radar of CSOs, whose efforts are primarily directed at data network protection.
There is no one solution. Rather, a multi-pronged approach is required to blunt the threat of voice phishing. There is always a place for additional employee training that raises awareness of this growing attack vector, but as study after study has shown, attempts to modify human behavior provide little defense against these skillful adversaries.
The most meaningful action to take should be one that prevents these callers from reaching their human targets in the first place.
Voice traffic filtering solutions have evolved beyond simple robocall blocking and now include sophisticated call data analytics capabilities designed to detect signs of nefarious activity and deflect those suspect callers away from their intended victims.
These applications do not just reduce disruptions from unwanted calls; they significantly reduce the possibility of cyber-intrusion through a successful vishing scheme. Implementing advanced voice traffic filtering technology should be part of every organization’s cyber-protection strategy in 2023 and beyond.