Published: August 07, 2022 on our newsletter Security Fraud News & Alerts Newsletter.
Surprise! Hackers are up to no good, again. This time they’re relying on their acting skills to convince employees there’s been a cyberattack at their place of work. They leave a phishing voicemail with urgent instructions to return the call. It’s a sneaky way to get the information they need to pull-off a system-wide malware infection. In whatever way a hacker can best monetize this crime is likely the route they’ll take, including lucrative ransomware attacks.
These hackers are bold criminals who’ll do what it takes to accomplish their goal, and in the process, maybe win an Emmy award for their acting. After all, who would think that returning a phone call could result in a companywide cyber-catastrophe? Hackers, that’s who would think that way.
Once their voicemail phish is returned, the hacker gets to work convincing the target they’re from a cybersecurity company that’s looking into a security incident at their company. They trick the employee into parting with sensitive network information and ultimately get them to download the hacker’s choice of malware. CrowdStrike investigated this attack after learning their own cybersecurity organization was one of many being used to “legitimize” these cybercriminals.
CrowdStrike named this crime “callback phishing” since the phone number left on the voice message is controlled by the hacker. They also say, “This campaign will highly likely include common legitimate remote administration tools (RATs) for initial access, off-the-shelf penetration testing tools for lateral movement, and the deployment of ransomware or data extortion.”
It's always time for employees (and their employers) to realize hackers know they are juicy targets for cybercrime. The deluge of phishing emails a staffer receives daily is proof positive there’s always a bull’s eye on their back. Those who work for a company that doesn’t provide staff cyber-education can’t be expected to recognize phishing when they see (or hear) it. That’s why cyber-smart employees should always be part of a solid cybersecurity plan.
Don’t Call Me, I Won’t Call You
According to CrowdStrike “This is the first identified callback campaign impersonating cybersecurity entities and has higher potential success given the urgent nature of cyber breaches…” With these findings, how does a trusting employee who receives callback phishing make sure they don’t enable an attack?
Before anything else, alert the tech department or management that you have a security-related voicemail message they need to hear. That alone lets them know that something is phishy, and they should instruct you not to return the call. And remember, for this or any other callback phishing hack, never answer questions about your company’s cybersecurity. And last, don’t let anyone convince you to install anything on your device without confirming it with the IT department or management first.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at email@example.com