Security Management, Security Program Controls/Technologies, Training, Email security

Vishing Attacks Crest $1B: How MSSPs Can Help

Today’s columnist, Roger Northrop of Mutare, writes that security teams need to focus more on the vishing and malware attacks targeting voice networks. (Credit: Stock Photo, Getty Images)

Telephone scams, often referred to as vishing--a contraction of voice and phishing--are gaining steam among cyber spoofers, as witnessed by the $1.2 billion lost to the swindles last year, according to Federal Trade Commission (FTC) figures.

Overall, consumers lost $8.8 billion to fraud in 2022, the agency said. Number one on the list of fraud schemes was imposter trickery. Reported losses to business imposters was $660 million in 2022.

Losses to phone scams yielded the highest reported loss per person with a median of $1,400.

Vishers are high volume hackers that use social engineering tactics to lure victims to interact with them mostly using an email, text message, phone call, or direct-chat messages. Indeed, a recent study by endpoint security cyber defender Trellix found vishing spiked 142% from Q3 2022 to Q4 2022. Some 85% of vishing attacks were tied to free email services.

How MSSPs Can Help Defend Against Vishing

As the figures show, vishing is not confined to consumers but, in actuality, is more of a business heist, hitting unaware and under trained employees. Managed security service providers (MSSPs) versed in anti-social engineering training and education, should take note of the opportunity to provide additional value to their business customers.

The core of a vishing attack lies in preying on people’s good intentions by tricking them--often with threats--into providing confidential information such as credit card numbers and internal business data, that they wouldn’t otherwise disclose. The tricksters typically impersonate powerful government agencies such as the FTC to strong-arm their victims into talking with them or returning voicemails.

How Vishing Thwarts Phishing Defenses

Vishing emails can readily skirt traditional security defenses, like secure email gateways (SEGs), because they do not contain malicious, detectable links. These missing lures can make it easy for threat actors to impersonate trusted people within an organization, convincing untrained employees to call a unique phone number. Once called, the employee engages verbally in a convincing conversation or message and is fooled into handing over sensitive information.

While vishing may be difficult to slow down, training and education of employees can help. This is where companies such as Cofense, Imperva and others come in. Cofense, for one, has developed a managed and customizable solution that trains employees to identify and report vishing threats that bypass a company’s SEGs.

Cofense’s solution combines its simulation technology with a new voice response technology to help enterprise organizations defend against vishing threats.

“To illustrate the devastating power of this type of attack, vishing was used successfully in the recent crippling cyberattacks on the MGM casinos,” said Jason Reinard, senior vice president of product engineering at Cofense.

Last August, ransomware hijackers addled MGM’s networks and demanded an undisclosed ransom to bring their systems back online. The company subsequently said the attack would cost it some $100 million.

Imperva, a cybersecurity protector, recommends the following to slow down vishing campaigns:

  • Never reveal personal data. Vishing attacks are designed to trick the target into revealing personal information, which attackers can use for other attacks or fraud. Never give a multi-factor authentication (MFA) number, password, financial data, or similar details over the phone.
  • Always check phone numbers. Vishers may call you posing as representatives of a legitimate organization. Before you provide any personal information or follow a caller’s instructions, get their name and make sure you can contact them through an official company number. If the caller attempts to dissuade you from doing this, it’s likely a scam.
  • Organizations do not accept payment via prepaid or gift cards. Vishers often ask for payment for amounts the victim supposedly owes in the form of prepaid cards or gift cards. No legitimate organization will request a prepaid credit or gift card as payment.
  • Never give remote computer access.Vishers could request remote access to your computer under the guise of removing malware or fixing some issue. You should never grant anyone access to your computer, unless they are a verified member of an IT department.
  • Report suspicious incidents. Vishers typically repeat the same scam on several targets. Report suspected vishing attacks to authorities or security staff at your organization, ensuring they can protect other targets.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.