Impersonation attacks are on the rise, and the FBI and CISA have issued a joint warning against so-called “vishing” attacks where a voice is imitated. These attacks rely on the work environment having shifted to remote working, which reduces or removes the ability of individuals to verify the identity of a caller. Additionally, phone calls may be forwarded from office lines, which may not display the caller ID which an employee uses to know who is calling. Lastly, attackers may provide a seemingly valid reason for having the incorrect phone number (such as needing to make a call from a house phone or needing to borrow one from another individual). Most people will respond to an urgent request from their boss without taking the time to be properly suspicious.
These vishing attacks are used to gain legitimate credentials from users, by instructing the victim that they need to provide them for access to whatever methods are used to work remotely. Once those credentials are received, they are used to launch a further attack. These vishing attacks fall under the category of social engineering, and when performed correctly can be disruptive. If someone who sounds and acts like your boss, would you be willing to spend time asking them to prove who they are? Especially if they threaten to fire you for wasting their time? These vishing attacks rely on knowing just enough about the target to pass themselves off as legitimate, you may be able to determine if you are being vished by asking a question that the call would know the answer to, but which does not have answer that can be readily found online.
