FBI, CISA Warn a New Phone Call Scam Targets Remote Workers

Cybercriminals have found a new way to target companies in the COVID-19 era. As businesses continue to work remotely, cybercriminals are pivoting as well, adjusting techniques to infiltrate companies while employees are teleworking. Criminals use a technique called “vishing” to steal employee information and corporate resources.

What is vishing?

Also called voice phishing, criminals conduct vishing attempts by calling employees to get access to their corporate virtual private network (VPN).

How does it work?

Cybercriminals find employee cell phone numbers on the internet and call them. They try to manipulate employees, including by posing as IT staff, to enter login information in a new VPN link sent by the criminals. The criminals store this login information and use it to enter the company’s VPN and take employee information, business resources and even company funds.

How can I keep my business safe from vishing?

Educate employees to be conscious of the following:

• If your company’s IT department or help desk contacts you about a new VPN link, confirm the new link with your company before proceeding.
• Do not give out information about your company through unsolicited calls or emails.
• Limit how much personally identifiable information you put on social media to prevent vishing and phishing. Cybercriminals often use social media to get their targets’ information.

Last week, the FBI and the Cybersecurity and Infrastructure Security Agency issued a warning about this new vishing campaign. Please contact Walt Green or any other member of Phelps’ Cybersecurity team if you have questions about this warning or need compliance advice and guidance. For more information related to COVID-19, see Phelps’ COVID-19: Client Resource Portal.