DFS Warns About ‘Vishing’ Cybersecurity Attacks
Last Friday the New York State Department of Financial Services (DFS) sent a heads-up to all cybersecurity leaders at firms it regulates: to watch out for vishing — voice phishing — because it’s getting nastier.
Attackers are calling people and pretending to be from the company’s IT help desk. They’ll even spoof phone numbers so they look legit on caller ID before convincing victims to click on dodgy links. Those links take system users to fake login pages that look just like their real systems. Once someone types in their username, password, and even their multi-factor code, the attacker essentially has the keys to log into corporate systems.
Vishing isn’t brand new, but criminals are using it more often — especially against financial services firms — and it’s working too well. If attackers trick employees into sharing credentials or MFA codes, they get remote access and can do all sorts of damage.
To protect your agency against vishing attacks, DFS recommends:
- Set up solid identity checks so personnel don’t rely on caller ID alone when someone claims to be IT.
- Train employees on social engineering, especially this voice trick. This YouTube video explains it well. The DFS cybersecurity requirements for financial services companies’ regulation requires annual training for employees on social-engineering threats.
- Regularly review who has access to what, and make sure permissions aren’t too broad.
- Check your multi-factor authentication (MFA) settings — make sure only authorized people can enroll devices or change settings.
- Monitor for strange login activity and have alerts in place so you can spot trouble fast.
And if you do think you’ve been hit, the advisory reminds firms to report the incident. That includes to the FBI’s Internet Crime Complaint Center and to DFS under their reporting rules.
In short, vishing might sound old-school; it’s basically phone-based phishing. However, it’s evolving, it’s real, and regulators are worried about it. We suggest you educate yourselves and your staff on this threat and tighten defenses now.
Topics
