FBI, CISA Warn of 'Voice Phishing' Attacks On Teleworkers

By Ben Kochman
Law360 is providing free access to its coronavirus coverage to make sure all members of the legal community have accurate information in this time of uncertainty and change. Use the form below to sign up for any of our weekly newsletters. Signing up for any of our section newsletters will opt you in to the weekly Coronavirus briefing.

Sign up for our Aerospace & Defense newsletter

You must correct or enter the following before you can sign up:

Select more newsletters to receive for free [+] Show less [-]

Thank You!

Law360 (August 24, 2020, 10:14 PM EDT) -- Hackers are taking advantage of the rise of telework during COVID-19 by posing as victims' IT departments and persuading workers over the phone to divulge sensitive data, the FBI and U.S. Cybersecurity and Infrastructure Security Agency have warned.

In what authorities called a sophisticated "campaign" that has hit several companies, cybercriminals since July have used a tactic known as voice phishing, or "vishing," contacting workers on their personal cellphones and directing them to turn over their login information, U.S. authorities said.

The attackers convinced employees that they needed to turn over their usernames and passwords in order to log in to a new link for the company's virtual private network, or VPN, according to officials. VPNs, which allow remote employees to log in to the same system, have become an increasingly common tool that companies use to monitor and control access to their systems during the pandemic.

"Using vished credentials, cybercriminals mined the victim company databases for their customers' personal information to leverage in other attacks," the FBI and CISA said in an alert released late Thursday.

"The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cashout scheme," the alert added.

Before contacting their victims, the cybercriminals compiled "dossiers" on them by scraping information from public social media profiles, "recruiter and marketing tools, publicly available background check services and other open source research," the alert said. The attackers were able to gain the victim employees' trust by correctly saying how long they had been at the company, their position at the company and their home address, officials said.

Before the pandemic, cybercriminals had launched similar campaigns on telecommunications and internet service providers, "but the focus has recently broadened to more indiscriminate targeting," according to authorities. 

The FBI and the CISA, an arm of the U.S. Department of Homeland Security, advised companies to take a number of steps to mitigate the attacks, including restricting VPN access hours and training employees to be suspicious of unsolicited phone calls. Officials also advised employees to limit the amount of information they post on publicly accessible social media sites.

"The internet is a public resource; only post information you are comfortable with anyone seeing," the alert reads.

Thursday's announcement comes as cybersecurity experts warn that employees are often companies' biggest security vulnerability, particularly as telework becomes more common.

Last month's cyberattack on Twitter that unfolded after a staffer unwittingly sent login data to a hacker, and a recent campaign targeting the Israeli defense industry with phony job offers, are just the latest examples of cybercriminals aiming to dupe workers into divulging sensitive data during the pandemic. 

--Editing by Peter Rozovsky.

For a reprint of this article, please contact reprints@law360.com.

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!