Cyber attacks happen every day, and in recent times a new form of threat has been gaining more and more space: vishing, a voice phishing strategy using the telephone.
To give you an idea, in September the global hospitality chain MGM Resorts was the victim of a cyber attack that affected everything from slot machines to the check-in system, with an estimated loss of US$15 million. The cybercriminals behind the malicious campaign – allegedly from the Scattered Spider group – accessed the company’s systems through a phone call.
“Vishing, which combines the words ‘voice’ and ‘phishing’, is a form of attack in which fraudsters attempt to obtain sensitive personal or financial information through deceptive phone calls. In the case of MGM, the attackers posed as employees to obtain access credentials, break into internal systems and steal data”, explains Jonathan Arend, cybersecurity consultant at keeggo.
How to protect yourself from falling for vishing scams?
The American giant’s experience raises awareness about the cybersecurity of Brazilian companies. According to the BugHunt National Information Security Survey, more than 1/4 of organizations suffered cyber attacks in the last year, an increase of 8% compared to 2021. Vishing was one of the main attacks reported, with 11.1% occurrence.
To help companies improve their digital security posture against vishing attacks, the keeggo expert recommends some strategies.
1. Employee Training
Train employees to recognize and report vishing attempts. They should be aware that they should never share confidential information over the phone unless they have verified the identity of the person calling.
2. Identity Verification
Always verify the identity of the caller before sharing confidential information. This may include confirming identity using a password or previously defined security questions.
3. Data security policy
Implement data security policies that prohibit sharing sensitive information over the phone without proper authentication and authorization.
4. Two-factor authentication (2FA)
Use two-factor authentication whenever possible for access to critical systems and accounts. This makes it more difficult for attackers to gain unauthorized access.
5. Call monitoring and logging
Monitor critical and sensitive phone calls to have a log of activity in case you need to investigate or prove the authenticity of a call.
6. Software and antivirus updates
Keep software updated with the latest security patches and implement antivirus/antimalware on all systems to avoid known vulnerabilities.
7. Data encryption
Use encryption to protect sensitive data while it is in transit and at rest, making it harder for attackers to access it.
8. Data Backup
Make regular backups of critical data and keep it in secure locations . This can help recover data in case of compromise.
9. Regular security assessments
Conduct regular security assessments, such as penetration tests and phishing/vishing simulations, to identify vulnerabilities and train employees.
10. Incident response plan
Have an incident response plan in place to deal with vishing attacks and other cyber threats. This includes specific actions to take if an attack is suspected.
Constant Concern: The Best Defense Against Cybercrime
Remembering all these 10 points is essential so that companies can protect themselves against possible vishing attacks, helping to avoid millionaire losses. However, the work doesn’t end there!
Finally, Jonathan Arend reinforces that cybersecurity should be a constant concern and that anticipating threats is essential to maintaining security.
“Looking for a cybersecurity specialist or consultancy can be a smart strategy to ensure that the company is adequately protected against cyber attacks, including vishing”, concludes the keeggo security specialist.
Did you like the content? So, keep an eye here on the portal to stay up to date on this and many other topics about technology and security. To the next!