Researchers at Google’s Mandiant have published a report on voice phishing (vishing) attacks, noting that these attacks have served as initial access points for recent waves of ransomware incidents.
Threat actors often perform reconnaissance before launching social engineering attacks, collecting publicly available information in order to craft tailored, realistic scenarios.
“With sufficient reconnaissance data, an attacker can formulate targeted campaigns reflecting plausible employee scenarios,” the researchers explain. “A common pretext for contacting a service desk is a forgotten password. Many organizations verify employees using multiple factors.
"While initial reconnaissance might provide an attacker with answers for knowledge-based authentication methods, challenges arise if device-based verification is required. An attacker might impersonate an employee who claims their phone is unavailable (e.g., damaged or lost during travel) and who needs urgent account access. Another common practice is for actors to impersonate employees identified as being on personal time off (PTO) via out-of-office replies, leveraging a sense of urgency to persuade service desk personnel.”
Mandiant concludes that employee training offers an important layer of defense against these attacks:
- “Conduct regular phishing simulation exercises that include vishing scenarios to educate employees about the specific risks of voice-based social engineering
- Train employees to always verify unexpected calls or requests for sensitive information, especially those claiming to be from IT support or other internal departments, by using an official internal directory to initiate a call-back or by contacting their manager
- Train employees to recognize common vishing pretexts (e.g., urgent requests to avoid negative consequences, claims of system issues requiring immediate action, unexpected MFA prompts)
- Equip service desk employees with access to logs of previous calls and tickets to help identify abnormal patterns, such as repeated calls from unrecognized numbers or sequential MFA reset and password reset requests for the same user”
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Mandiant has the story
Here's how it works:
