Don't be a Vishing Victim

We often discuss cybersecurity tactics such as email phishing, where the bad actor delivers a sneaky ask into your employees’ inboxes, doing their best to lure your team into clicking on a compromised URL, downloading an infected file, or sharing confidential information about your customers or your company. But some bad actors are more old school in their approach and call their victims, a practice called “vishing.” We often hear about unfortunate instances where an employee answers a phone call from a hacker pretending to be from tech support and then shares access to a device, only to realize later it was all a scam.

In fact, if you follow cyber attacks in the news, you may remember the high-profile incident with MGM Entertainment last fall. The single access point that allowed the infamous cybercrime group “Scattered Spider” to completely shut down several casinos and hotels under the MGM umbrella used that old-school approach – albeit reversed. The bad actors called the corporation’s tech support company and finagled access to the entire network by pretending to be an employee. Unfortunately, the tactic works both ways.

Tips to Avoid Tech Support Vishing Scams

How do you protect your employees and your organization from such a simple but sneaky attack? If you are not encountering any IT issues, and your tech support company or a vendor partner calls you unexpectedly, here are simple tips to avoid being the victim of fraud:

1. Ask if you can call them back. Your team should have access to your organization’s IT support phone number; if they receive an unexpected call with a request, make it a policy to call back before taking any action. Use the number on your IT support company's website or in your own files; not a new phone number or email supplied by the caller.
2. If a caller says your computer has a problem and requests remote access, simply hang up. These hackers often use phone numbers that are spoofed to look like real businesses in your community or a trusted vendor partner. This is not how real IT support businesses or software vendors operate.
3. Remember that the scam may take the form of an email, phone call, or even a pop-up warning. Callers may say they are from well-known, large tech companies, such as Microsoft. They will ask you to open a file or run a scan, but this is likely a ploy that allows them to then ask for remote access.
4. Reputable technology vendors will tell you: They do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information or to provide technical support to fix your computer. If you don't ask them for help first, they won't call you to offer support.
5. Your organization's privacy policies should clearly outline what data can be shared with your business partners and what cannot. Your employees should never divulge passwords or other company information to a third party business partner without internal confirmation.
6. If you visit a website and are suddenly faced with a full-screen pop-up warning that your computer has been compromised, do not call the number or click any links. These are hackers who have infiltrated popular sites to try to sneak past your security protocols.

If an employee realizes a scam might have taken place, that is when you should call your trusted IT partner. MSPs can run assessments and scans to uncover malicious code or hidden apps that can lurk in your network, siphoning off data over weeks or even months. The sooner you involve your IT professional, the more quickly access or damage to your network can be contained.

Tip: When selecting a managed IT services partner, ask what security steps are in place to prevent this type of fraud. At Exigent, we follow multifactor authentication for phone calls, using a tool that allows confirmation that the person calling in for “support” is a real employee at our client’s organization. Similarly, if you receive a call from Exigent, you can ask for the team member's name, hang up, and either call our support hotline or enter a ticket to confirm that there is a real issue.