A few years ago, I myself was vished, or ‘phished,’ over the phone. The caller was someone, likely offshore in a call center, who had done a little bit of research online to find my name, my phone number, my wireless phone carrier and a few other details that they used to build rapport with me on the phone. Spoofing the customer service phone number of my wireless service provider, they called me and claimed that a credit was being added to my bill. All I had to do was confirm the PIN on my account, they told me. Pleasantly surprised by the prospect of a bill credit, I happily gave them the four-digit code for my account to ‘confirm the account,’ and was told I would see the credit on my next bill.
It was early, the coffee in my mug was still piping hot, but quickly it was like the fog lifted, and almost as soon as I hung up, I realized that I had probably made a bad decision. I had allowed my emotions to control my decision making and bypass the logical thinking that would have enabled me to avoid compromising myself and my account security. I immediately dialed my wireless phone provider and changed the code on my account.
The bad actor or scammer who had called me managed to appear legitimate with very little effort. How did they do this?
This person called me spoofing the phone number of the wireless carrier’s customer service center. The caller ID on the phone showed this number when it rang, and I trusted that the call was coming from that number. That was my first mistake.
Simple PII Verification
The caller also verified my name and wireless number, which were easily found online. They likely found the number and did a reverse lookup to establish the wireless provider to determine what number to spoof. Allowing someone to verify themselves using personal identifiable information (PII) about me that was mostly public information was my second mistake.
The caller incentivized their request of me by promising a credit to my bill in exchange for the information. This lit up the emotional side of my brain and allowed me to bypass the logical thought process that would have led me to question this type of request. Compounded by the fact that trust had been established by the two methods above, this was the nail in the coffin.
How can we avoid falling prey to these types of number spoofing and vishing (phishing that uses voice elicitation) attacks? Avoid oversharing on social media, opt-out of people search sites, set social profiles private and avoid sharing sensitive information altogether? These are all great ideas to help minimize the risk, but ultimately, even those with the best ‘OpSec’ or operational security tactics can fall victim when the circumstances are right for attackers and when defenses are weak. Not allowing callers to ‘authenticate’ or verify themselves using information that is publicly known or easily located online is the last line of defense. Being politely paranoid and unafraid to challenge requesters is usually the one aspect of social engineering that attackers can’t overcome in a social engineering attack. And unfortunately, because there are so many more vulnerable targets, attackers will typically cut bait and seek out a new target when they are challenged by a target.
Phishing Awareness Training
So how do you avoid being the slowest antelope when you are running from the lions? Increased awareness, proper procedures for authentication of requests and a culture that promotes reporting and transparent internal communication are vital to any organization. Advocate for training and phishing awareness that goes beyond business to support families and individuals at home. This is not just a ‘work’ problem; it’s a ‘people’ problem. When people are educated to understand the dangers and how to identify them to protect themselves personally, they will carry these skills with them in every situation, including at work.
Regular testing and assessment of these skills is critical to a strong security program where the mitigation of social engineering threats is prioritized. In my talk at BSidesSF 2020, on February 24th, I showed penetration testers how phishing pretexts can be made much more robust by customizing them for specific employees and specific organizations using non-technical and quick-to-complete social media and online OSINT (open-source intelligence) recognizance prior to doing a security assessment. Combating these custom pretexts with regular testing from ethical hackers within security assessments can be very helpful to employees who may not understand the red flags for identifying phishing attack
Equipping Organizations against Phishing Attacks
Phishing and vishing have reached the next level. Both ordinary scammers and malicious hackers are choosing to take the path of least resistance, avoiding complex computer and network hacking while pushing to create pretexts that will go undetected by even moderately security-conscious employees. “Todd from IT” calling to reset your password has become the Nigerian Prince of pretexts. Equipping our clients to recognize more complex and customized pretexts is crucial to a successful security awareness program, and its adds increased value to your training and awareness offering as a security consultant.