This posting is most relevant to those of you working from home, but vishing attacks can happen to anyone with a phone. If you are currently teleworking, read on.
Most successful cyber breaches start when a human with access to a network falls prey to a phishing attack by clicking a link or opening an attachment in a fraudulent email. Attackers use various social engineering techniques in composing a message that is convincing enough for us to believe it is trustworthy.
But some of these attacks can start with a phone call. Vishing is a term used to describe cyber attacks that start with a phone call—in other words, phishing by voice instead of email.
This week the Federal Bureau of Investigation (FBI) and U.S. Cybersecurity and Infrastructure Security Agency (CISA) posted a warning about vishing scams aimed at teleworkers. Most start with a phone call from someone posing as a member of your organization's information technology (IT) department. The caller convinces you—the worker—to click a link or navigate to a particular web page that is designed to look like your employer's web site.
If you receive a call from your IT department while working remotely, the best thing to do is politely hang up and call the known number for your IT service desk to inquire if they placed a call to you. Remember that you cannot trust the phone number displayed on your caller ID because it is easily spoofed (faked) to look like a trustworthy number.
For more information see Brian Krebs' article at https://krebsonsecurity.com/wp-content/uploads/2020/08/fbi-cisa-vishing.pdf.
For CISA telework security guidance, see https://www.cisa.gov/telework-guidance-home-users.
For tips about recognizing and avoiding phishing scams, see the Federal Trade Commission (FTC) web site at https://www.consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams#recognize.