5 Things Work-From-Home Employees Need to Know About Hybrid Phishing Scams  

Before the COVID-19 pandemic, the general public’s perceptions about cybercrime was largely based on splashy news headlines. Corporate breaches that pilfered off hundreds of millions in digital theft and massive personal identify lawsuits may have inadvertently created a notion that online thieves unilaterally penetrated cybersecurity defenses. But that idea shifted as suddenly increasing remote workforces prompted global threat alarms.

With many employees working from home for the first time, national organizations have issued critical “phishing” alerts. The U.S. Federal Trade Commission, Canadian Anti-Fraud Centre, and the Australian Competition & Consumer Commission, among others, are working diligently to provide actionable information about prevalent phishing schemes. Experienced IT cybersecurity experts on the frontlines are cautioning businesses about emerging hybrid threats.

1: Hackers Deploy Most Sophisticated Scheme To Date

It’s essential for industry leaders to recognize that hackers represent an omnipresent threat. For every antivirus development or enhanced firewall, these unscrupulous individuals work tirelessly to circumvent such defenses. In many ways, hackers and cybersecurity professionals are engaged in a digital chess match with business profits representing checkmate. Recent reports indicate that a hybrid phishing scheme called “Vishing” is being leveraged to ensnare remote workers.

“There’s a scam where hackers gather employee and company information on the company’s website in the staff section or about us. Then they call the newly remote employee with this information and pretend to be IT support. They use some gathered information to establish trust with the employee,” Neil Rosenblum of BoomTech, Inc. reportedly said. “Then they ask them to log into a portal or allow remote access so they can confirm security settings, so their company remains secure. This literally opens up the company’s network.”

2: Methods Used To Gather Seemingly Confidential Information

Vishing schemes rank among the most determined and duplicitous efforts employed by cybercriminals. Whereas phishing typically relies on casting a wide net of email trickery, vishing drills down on personal information.

“Personal Identifiable Information (PII) can be either purchased on the Dark Web or found freely in forums on the Dark Web. This information can include social security numbers, bank account numbers, or information just as simple as addresses,” Jon Fausz of 4BIS.COM, Inc. reportedly said. “The data is gathered from previous hacks (IE Discover Card, Netflix, or private companies) or from end-user phishing. Only a few pieces of PII are needed to gain trust and gather more information from the victim.”

3: How Do Hackers Leverage Dark Web PII?

To everyday people, the so-called Dark Web is the stuff of movies. Images of hoodie-wearing hackers are part of a digital mafia that involves secret passwords. To some degree, these fictionalized portrayals are not far from reality, according to frontline experts.

“So where is the ‘Dark Web’ where this information resides? Generally, it is a non-published website where the link is passed from criminal to criminal through other means — not Google search. If you do not know the link, you will never find the web address or the information. Other times, it requires you to authenticate to a network that then provides you access to this type of information for a fee, of course,” Jason Simons of Texas-based ICS reportedly said.

The PII and vishing tactics are being used to target work-from-home employees as a conduit into valuable digital assets housed on business networks.

4: PII Culled Outside The Dark Web

Forthright Technology Partners Sr. Cybersecurity Engineer Alan Harrylal indicates that outside of the Dark Web, there are commonplace resources available to digital thieves. These include the following.

  • Dumpster Diving

  • Social Engineering

  • Sites like www.peoplefinder.com, where you can pay to get SSN, Criminal Reports, Phone Numbers.

“And of course, there’s always the disgruntled employee who provides inside information,” Harrylal reportedly said.

This means that even low-level digital scammers can likely cull together enough PII to make a run at remote workers.

5: How Cybercriminals Pull Off Hybrid ‘Vishing’ Scheme

It stands to reason that determined cybercriminals would pivot as global phishing alerts were raised during the coronavirus outbreak. Between government agencies and cybersecurity professionals distributing information, digital thieves suffered from public awareness.

Vishing schemes take the logical next step to secure victim confidence. Remote workers have been educated to avoid suspicious emails and make direct contact with supervisors or IT personnel. When someone receives that phishing email, a phone call comes right on its heels. Because the caller possesses enough of a remote worker’s PII, confidence can be restored. Ultimately, a successful scheme prompts an unsuspecting worker to click on a link and doom your digital assets.

Work-from-home employees are advised to proactively call supervisors or IT specialists themselves. Fielding a call may be part of the elaborate vishing scam.