A standard phishing campaign uses email to try to trick people into divulging confidential information. But attackers are increasingly employing a variant of that ploy known as vishing, short for voice phishing. In a vishing attack, the scammer still impersonates someone from a trusted company but uses a phone call as the weapon of choice.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
In some cases, the attacker calls or leaves a voicemail message for the intended victim. In other cases, the criminal sends an email with a contact phone number urging the recipient to call that number. Whatever method is used, the attacker relies on savvy social engineering tactics to convince the person to provide financial or account information during the phone call.
In a report published Thursday, cybersecurity firm Armorblox looked at two recent vishing campaigns that spoofed Amazon as a way to capture credit card details.
In the first campaign, an email sent from a Gmail account used the subject line of “Invoice:ID” followed by a long and seemingly legitimate invoice number. The message spoofed the look and layout of an actual Amazon email and referenced an LG OLED TV and XBOX console allegedly bought by the recipient.
The real threat in the email was a “Contact Us” phone number in the body of the message. When researchers from Armorblox called this number, a real person answered the call, pretending to be from Amazon. That person asked for an order number, name and credit card details before becoming wise and hanging up.
In the second campaign, an email was sent using an address of firstname.lastname@example.org, which at first glance looks like an actual Amazon address. Titled “A shipment with goods is being delivered,” the message carried a random order number to seem more legitimate.
As with the first email, this one included a phone number, asking people to call if they wanted to return the items in question. In this case, Armorblox researchers who called the number initially ran into an endless ringtone and eventually no answer, indicating that the number had been taken down. However, the attackers could easily set up another number to restart the campaign.
Both emails received a Spam Confidence Level (SCL) of ‘1’ from Microsoft’s Exchange Online Protection (EOP), which meant the messages were not considered spam and were sent to the inboxes of the intended recipients.
How to protect yourself
To help your organization fend off vishing attacks and other threats, Armorblox serves up four pieces of advice.
- Supplement your native email security with additional protection. Both emails cited in the report got through after Microsoft’s EOP determined that they were not spam. To avoid that type of situation, add more layers to augment your native security, especially ones that use a different approach to detect threats. Armorblox recommends Gartner’s Market Guide for Email Security as a helpful starting point to evaluate different products.
- Look out for social engineering cues. Rather than accept an email at face value, scrutinize it in a more methodical way. Inspect the email’s sender name, sender email address and language. Look for any clear inconsistencies within the message that trigger such questions as “Why is Amazon sending an email to my work account” or “Why are the call-to-action buttons in the email not working?
- Avoid sharing sensitive information over the phone. Beware of anyone who asks for personal or sensitive details via a phone call. If you think the call may be a vishing attempt, simply hang up. If you feel you need to call back, don’t contact the person through any phone number listed in the message. Instead, run a search for a publicly available number for the company.
- Follow best practices for multifactor authentication (MFA) and password management. Vishing attacks often try to snag your account credentials as well as your financial information. Protect the user accounts in your organization through the following methods: 1) Implement MFA on all accounts and for all sites. 2) Don’t use the same password across multiple accounts. 3) Use a password manager to store your passwords. 4) Avoid using passwords that reference publicly available details such as your date of birth or anniversary date. 5) Don’t use generic passwords such as “password,” “123456” or “qwerty.”