The first line of defense against phishing attacks is your employees
Information Courtesy of Tech Republic
Voice phishing attacks are the latest trend of cybercriminals. In an advisory released in January, the FBI revealed that as of December 2019, cybercriminals have been working together on social engineering campaigns targeting employees at large firms both in the US and abroad. The criminals are taking advantage of VoIP platforms to launch voice phishing, or vishing, attacks.
VoIP – voice over internet protocol – are platforms that deliver voice communications over the internet.
Using VoIP calls, the attackers trick people into logging into phishing sites as a way to steal their usernames and passwords. After capturing these credentials, the attackers manage to gain access to the corporate network where they can easily cause further damage.
Schemes like this are always a threat, but even more so with the increase of remote workers. “With so many employees working from home, threat actors are increasingly turning to vishing campaigns to gain a foothold for privilege escalation,” according to Abnormal Security strategist Roman Tobe.
Impersonating a member of your IT team is one such way for cybercriminals to obtain employee credentials.
A company may not have the proper restrictions on network access and privileges. Keeping track of who has access to which data and resources has become a more challenging and difficult task. And that’s exactly the kind of scenario that cybercriminals love to exploit.
To protect your organization and employees from these types of phishing and vishing scams, the FBI offers the following tips:
- Implement multifactor authentication (MFA) to access the accounts of employees to minimize the chances of an initial compromise.
- Grant network access on a least privilege scale for all new employees. Further, periodically review network access for all employees to reduce the risk of compromise of vulnerable and weak spots on the network.
- Actively scan and monitor for unauthorized access or modifications of key resources. This can help detect a possible compromise as a way to prevent or minimize the loss of data.
- Divide your network into segments. Breaking up a large network into multiple smaller networks helps administrators better control the flow of network traffic.
- Give administrators two separate accounts. One account should have admin privileges so they can make system changes. The other account can be used for email, deploying updates, and generating reports.
- Training employees and securing devices are also two key strategies.
“The first line of defense against phishing attacks is your employees,” Hank Schless, senior manager, Security Solutions at Lookout said. “Nowadays, it’s incredibly important to train employees on how to spot these phishing attempts, especially as they do more work on mobile devices. In addition to training employees, securing any device that has access to your network is paramount to preventing issues like this. Without protecting those devices with modern endpoint protection, there will be a significant gap in your overall security posture.”
Helping Your Business Grow