Nefarious vishing attacks were up by over 500% in 2021, according to a recent report. Yet, most enterprise security professionals still overlook their unprotected voice channels and focus instead on securing data networks for web and email.
Both inbound and outbound voice traffic pose serious risks to organizations from social engineering scams based on robocalls, vishing, smishing, or spear-phishing attacks. Such unwanted calls can lead to dangerous data breaches, or they can at least reduce employee productivity through the distraction of unwanted calls.
The bad guys have adopted a range of malicious techniques to steal private information, data, and IP, which can then be sold over the dark web. Their attack strategies continue to evolve over time, but we have identified five main types of voice scams that create vulnerabilities for unprotected businesses.
The top categories include:
- TDoS Attacks: Denial-of-service attacks attempt to make a telephone system unavailable to the intended user by preventing incoming and/or outgoing calls. The objective is to keep the distraction calls active for as long as possible to overwhelm the victim’s telephone system, which may delay or block legitimate calls for service, including to emergency responders and call centers.
- Ransomware Attacks: The increase of ransomware on mobile devices is particularly disturbing for organizations that allow employees to use their personal mobile devices in the workplace and remotely. Security researchers have found examples of ransomware being transferred from a mobile device to a networked system via corporate Wi-Fi. Too often, these attacks succeed when untrained employees innocently click on a malicious text message link.
- Data Theft/Breach: The security industry got an unpleasant wakeup call last November from the infamous Robinhood data breach, which stemmed from a vishing attack. Once criminals can build enough trust to convince employees to share information over the phone, they can gain access to other critical systems for customer, employee and stakeholder data.
- IP Theft: Intellectual property thefts can quickly escalate from simple human errors to become serious problems. When attackers trick employees into unlocking company ideas, projects, inventions, or other assets, the attackers can gain access to valuable trade secrets, patents and proprietary software.
- Identity Theft: Clever criminals can also use social engineering methods through vishing, smishing and automated robocalls to steal credentials or logins for senior leadership. These kinds of spear-phishing attacks provide an easy way to impersonate a company executive and gain access to secure files or data.
All these threats to voice networks are further aggravated by the growing number of collaboration platforms used for both internal and external business communications. For instance, a company may use Cisco WebEx or Microsoft Teams internally for video conferencing and have it completely locked down. But when employees need to make or receive external calls from different applications that are not company-sanctioned, the threat surface widens.
More types of work functions are being done on these collaboration platforms today, including calls, information-sharing and virtual meetings. Businesses may think they are simplifying things by improving workforce collaboration, but as these platforms remain open, they are in fact adding new layers of complexity and risk to the business.
Regular phone calls can either be ignored or blocked with a spam filter, but now when a VOIP call comes into all devices at once — phone, tablet, and computer — it cannot be stopped. In one recent example, a global pharma organization with 48,000 employees and $6.2 billion in revenue was testing out Microsoft Teams systems for its employees, when they found that 14% of their inbound calls were unwanted. That resulted in a $407,000 annual productivity loss and 240 threat attempts daily, based on extrapolations from industry data. Receiving so many unwanted calls made Teams untenable for their use, leading to both security risks and lost productivity.
As soon as new vulnerabilities get discovered and patched, newer threats get unleashed. We already know all this. That’s why more attention must be paid to safeguard voice networks. Companies should include vishing in their security penetration tests, automated security controls and security awareness training to find and plug these vulnerabilities before damaging loss events can happen.