The FBI warned that companies and organizations are increasingly being targeted voice phishing, or “vishing,” attacks.
In the January 14 Private Industry Notification (PIN), the FBI warned of an increase in the use of social engineering to target remote workers for access to company networks and data.
“[C]yber criminals collaborated to target both US-based and international-based employees’ [sic] at large companies using social engineering techniques. The cyber criminals vished these employees through the use of VoIP platforms…. During the phone calls, employees were tricked into loggin into a phishing webpage in order to capture the employee’s username and password… thus allowing them to gain further access into the network often causing significant financial damage,” the notification stated.
While the notification stated that the issue has been under investigation by the Bureau since at least 2019, it mentions that the potential for vishing attacks has increased due to greater difficulty managing and maintaining secure access to networks in the wake of the Covid-19 pandemic.
The notification ends with a series of suggestions to mitigate the risks of vishing and social engineering on company networks, including:
- Enabling multi-factor authentication (MFA) for employee accounts.
- Granting new hires network access on a least-privilege scale, and reviewing employee network access rights.
- Scanning for signs of unauthorized access and unusual network activity.
- Breaking up larger networks into smaller segmented ones to increase oversight and control of network activity.
- Giving network administrators separate accounts with varying access for system administrative activities and day-to-day tasks such as email.
See the PIN here.