Skip to Content
© Info723783 | Dreamstime.com
Security & privacy

FBI warning: Cybercriminals can use this tactic to break into your VPN, steal your files and more

Phishing has grown from an annoying hacker tactic to a widespread scourge plaguing the internet. The reason: It’s the easiest way to gain access to valuable data and accounts — which can then be exploited for personal or financial gain.

And during this year, phishing has grown exponentially due to the pandemic. More people are spending time online than ever before, which means plenty of targets are ripe for the picking. Tap or click here to see where all these scams are coming from.

But if you thought phishing was bad, wait until you see what vishing is capable of. And now, the issue has grown to the point where the U.S. government is issuing warnings. Here’s why.

When you vish upon a star

The FBI and CISA (Cybersecurity and Infrastructure Security Agency) have published a joint alert regarding the dangers of vishing, otherwise known as “voice phishing” attacks. In vishing attacks, cybercriminals impersonate trusted entities and trick people into sharing valuable data.

During the month of July, a sweeping vishing campaign targeted at-home workers employed by American companies and gained login credentials for multiple corporate networks in the process.

Here’s how the attack works: Hackers build realistic-looking phishing websites that match the entity they’re trying to attack. Some would even be designed to look like VPN systems (which are essential for many at-home workers).

Tap or click here to see what you need to get started working from home.

Then, the attackers scrape social media platforms and corporate directories to compile information on employees. These employees would be singled out and targeted by calls, and the hackers would typically pose as coworkers or IT professionals.

From here, they try to trick victims into visiting scam sites for a variety of purposes like “switching VPN systems” or “resetting passwords.” All in all, it’s a sweeping social engineering campaign that shows just how dangerous hackers can be when they put effort into their work.

And to make matters worse, once they ensnared a victim, they can use their newfound employee access to scour internal directories and target other employees.

As of right now, neither the FBI nor CISA is saying who is behind these highly sophisticated attacks. The effort seems a bit out of the comfort zone of ordinary hackers, which may point towards state-sponsored origins, but this theory has yet to be confirmed or denied.

I work from home! What can I do to protect myself from vishing attacks?

As dangerous and horrible as this kind of attack can be, vishing attacks have the same big weakness that phishing attacks do: If you don’t fall for them, they can’t hurt you.

If you’re working from home and receive a call from someone claiming to be IT, a coworker or someone else within the company that you don’t recognize, explain to them that you need to verify their request and contact your supervisor immediately. If it’s a legitimate request, your supervisor should be able to confirm it.

Read the joint cybersecurity advisory in its entirety by tapping or clicking here.

Similar to other online threats, there are ways to identify the telltale signs of vishing attempts so you don’t become the next victim.

  • Check links you receive through email, texts and other messages for misspellings or characters that have been replaced.
  • Be wary of any unsolicited call or message from a person or number you don’t recognize. Watch out for spoofed numbers that share your area code or appear to come from a person you actually know.
  • Bookmark your company’s VPN URL. Compare any VPN URLs sent to you with the one you bookmarked.
  • Avoid sharing personal information on social media as much as possible. Those who overshare only giving vishers and scammers more ammunition.

Tap or click here to see what you should do about oversharing online.

If you do receive a vishing call, document the phone number of the caller as well as the domain that they tried to steer you towards. Then, report the attempt to your local FBI field office by tapping or clicking here or by calling the FBI’s 24/7 Cyber Watch at (855) 292-3937. You can also email the agency at [email protected].

Just when it feels like we’ve won a major cybersecurity battle, it’s two steps back again the moment hackers change their tactics. Fortunately, those of us that stay proactive and skeptical online will have a much easier time adjusting to any nonsense these scammers throw our way.

If you don’t fall for the trick, it can’t be used to hurt you. Never forget that.

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me