When the Federal Bureau of Investigations (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) get together to issue an alert to warn us about a security threat, you can bet that the threat is real, and that they have seen it used successfully at an alarming rate.

The joint advisory issued on August 20, 2020, “Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign,” warns companies of the increased use of vishing attacks by cyber criminals. The advisory defines “vishing” as “a form of criminal phone fraud, using social engineering over the telephone system to gain access to private personal and financial information for the purpose of financial reward” [see related Privacy Tip].

People are always amazed at how much time and effort cyber criminals take to get the big pay-off. I always say this is how they make their living. We go to work every day and get a lot of work done in a legal way, while they go to work every day to figure out how to steal from us. They are spending the same amount of time on strategy, development and implementation to work out the details of the crime as we are in making an honest living. What they are doing in cyber crime is no different than planning for a bank robbery. They have to plan carefully and then execute the crime. That’s what the cyber criminals have done with their vishing campaign.

The vishing campaign referred to in the advisory started with the criminals registering domains and creating phishing pages that duplicate a company’s internal VPN (virtual private network) login page, including the requirement for two-factor authentication or a security passcode. They then obtained SSL (Secure Socket Layer) certificates for the registered domains, including support(victim company name), ticket(victim company name), employee(victim company name), or (victim company name)support. The point is that they are using the actual company name in combination with IT support to lure the victims and convince them into thinking the domain is real. It certainly looks very real.

The criminals then do online research on potential company victims, and according to the alert, “compile dossiers” on employees of the companies “using mass scraping of public profiles on social media platforms, recruiter and marketing tools, publicly available background check services, and open-source research.” This is publicly-available information about companies and their employees that the criminals use to implement the crime. They aggregate the publicly available information and then start calling the employees on their cell phones. When an employee answers, they engage them in conversation as if they know them (from social engineering—including name, address, position in the company) to get them to believe they are from IT support. They advise the employee that the company has changed the VPN and that a link to the new login will be sent, which includes multi-factor authentication, and that they will need to log in to reset the VPN. During the call, they assist the employee in logging in to the VPN and in the process, they gain access to the employee’s log in credentials and now have access to the employee’s account.

Once in the employee’s account, the criminals have access to other potential victims in the company using the same tactics, and are able to “fraudulently obtain funds using varying methods dependent on the platform being accessed.”

The alert acknowledges that this old scam, previously used on telecommunications and internet service provider employees, has now expanded to all industries because of the transition from work at the office to work from home during the pandemic. Companies need to be aware of the campaign, alert their employees, and provide them with resources and tips to avoid falling victim to it.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her…

Linn Freedman practices in data privacy and security law, cybersecurity, and complex litigation. She is a member of the Business Litigation Group and the Financial Services Cyber-Compliance Team, and chairs the firm’s Data Privacy and Security and Artificial Intelligence Teams. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law.  Prior to joining the firm, Linn served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.