News Insights: FBI and CISA warn of major wave of vishing attacks targeting teleworkers | ZDNet

News Insights:

Roger Grimes, data driven defense evangelist at KnowBe4, provided the following comments:

“Vishing attacks, and really any phishing scam related to a phone, reveals one HUGE, glaring issue with our professional and personal security as it relates to phones – very little authentication. We can never be sure if the person calling or SMS messaging us is who they say they are. At best, we get a phone number, and most of the time we really have no idea who that phone number belongs to. So, anyone can claim to be anyone. The only time you can be sure who is calling is if you have previously established a relationship with them and/or know their phone number and voice. But phone numbers can easily be faked and voices are starting to be deep faked. It’s really a digital tragedy of the commons. More people have cell phones than internet and for those devices, we have the poorest authentication possible. Phone companies are desperately trying to work to prevent fraudulent phone numbers. In North America, phone companies are trying to implement the STIR/SHAKEN protocols to stop fake phone numbers, but roll-out has been slow and even when it gets done, there are ways around it. It’s dead on arrival. Phone companies’ anti-spam service accuracy rates seem to be no better or worse than their digital email counterparts. And attackers, even in the poorest countries, can use Skype or some other voice-over-IP calling service to come from a virtual, but valid phone number. And the receiver of the call still has no idea if the person on the other end of the line is really who they say they are. We have far better protections on the internet and for email, and that’s saying a lot because it’s pretty bad there. But at least we have some very effective anti-spoofing email protocols (e.g., SPF, DKIM, DMARC) that effectively prevent email domain spoofing if you use them. Today, the email hackers have to at least create new fake look-a-like email domains (e.g., llinkedn.com)  they hope potential victims fall for. In the phone world, no one knows who anyone else is by phone number alone. It’s terribly insecure. And when you throw on top of it a whole new way of working during a pandemic, it’s a recipe for disaster.

“Our customers are seeing an increase in phishing attacks above and beyond traditional email channels, like SMS, vishing, and social media. And since the technical defenses aren’t there yet, the best way to fight them, just like in the email world, is good user training. For example, if your end users don’t know that Microsoft would never call them and say that their computer is infected by malware and offer to remove it for a fee, they are far more likely to fall for that type of scam. User awareness is the key. Users need to be made aware of the types of phishing attacks that are occurring in the real world. Simply making them aware, and testing them from time to time, is the best defense you can have, at least until the phone infrastructure steps up to the plate and gives us better default protection and better security tools. Until then, it’s user beware. At KnowBe4, our service has had the capability to send simulated phishing tests to users via email, SMS, and voice phone calls for many years. We recommend that all employees get tested across all mediums where they could be phished. Testing email alone in today’s world is not enough. It’s never been better advice than it is today.”