Ep 2: Vishing Increases Phishing Success Rate by 3 Times
Episode 2 reviews an article on InfoSecurity Magazine. Phishing was the number 1 threat vector in 2021 closely followed by vulnerabilities. For clarity, vulnerabilities are defined as software and hardware glitches the manufacturer has issued patches or updates for which the owner of the software or hardware has yet to update.
What made the phishing statistic more interesting is that when a phishing attack included vishing (voice phishing) the success rate was nearly 3 times higher than phishing attacks without vishing. Of course, I have a real-world example of exactly how such an attack would work.
Transcript of Ep 2: Vishing Increases Phishing Success Rate by 3 Times
People are the weakest link in any cybersecurity plan. We’re distracted, exhausted, and often unmotivated. It’s time to change the approach used to protect our businesses, technology, identity, and data. The human element has to be front and center in the war against data breaches and ransomware attacks it’s time to educate.
Welcome to the human element podcast, visit our website at thehumanelement.net for more content to help you strengthen your awareness of the people problem in cybersecurity. I am Scott Gombar. Owner and Washtech is a client-focused, security-minded proactive IT service provider. Welcome to episode two vishing makes phishing campaigns three times more successful. Hello, everyone. Scott Gombar, owner of Nwaj Tech, we are back again with the second episode of the human element podcast where we talk about well the human element of data breaches and ransomware attacks and cyberattacks and all that fun stuff. And today, I’ve got an article on info security dash magazine.com info security magazine. And the title of the article is vishing makes phishing campaigns three times more successful by Phil Muncaster. And the article talks about the number one and number two threat vectors for 2021. Last year and number one probably shouldn’t come as a surprise given what podcast you’re listening to is Phishing. Phishing was 41% or globally. Phishing overtook vulnerability exploitation as the top pathway for compromise globally, in 2021, accounted for 41% of initial access attempts, which is up 33% from 33%, in 2020, so it went from 33% to 41%. And the number two threat vector was vulnerabilities and that is identified software holes, I guess you could say in different software and hardware. So in other words, if I have a Microsoft Windows computer, Windows 10 computer, and patch Tuesday rolls around, and I don’t apply those patches and some of those patches are for critical vulnerabilities are a zero-day. And I don’t apply those patches and my computer is now vulnerable. That’s a vulnerability and the number two threat vector for 2021 was vulnerabilities. So the number one phishing number two vulnerabilities and the number of vulnerabilities was 30. Or to go 33%. I think it was 33%. It’s interesting because I wrote an article not too long ago on my company’s website and nwajtech.com. And nwajtech.com. And the article was about the big four and talked about phishing, we talked about the Big Four, by the way, it was about the four easiest ways into a business into a network into technical or technology-based structure infrastructures. And we talked about the four easiest ways in. Two of them were phishing and unpatched software hardware. And in the article talks about some of the more common commonly exploited vulnerabilities one from 2021, which was a Java, Java, D serialization Volden vulnerability, another one from 2019, which was a Citrix path traversal flaw so 2019 Three years ago if you have it to between two and three years ago, if you haven’t patched a Citrix vulnerability by now you’re not doing your company any service right now. You are doing them a disservice in fact, and then, of course, we all heard log4j last year 2021 which was the one that seems to put vulnerability as a threat vector over the top and soundly into the number two spot and then also listed on or I’m sorry, Internet-facing Microsoft remote desktop protocol. And the fourth one was weak passwords and phishing a lot of times and weak passwords can be combined into the same attack vector. The article also talks about IBM highlighting business email compromise, which we’ve talked about a lot already on the website on thehumanelement.net and also on my company’s website and wash tech comm. It is the biggest moneymaker there’s a blog post on the website on thehumanelement.net that talks about BC scams business email compromised scams being the biggest threat based on the amount of money it’s it’s earned, for lack of a better word, I
guess. Because what happens is somebody inserts themselves into the email conversation usually email, an email conversation and reroutes a payment to another cybercriminal in this case, so if I’m doing a real estate transaction, and I use real estate as the example because it happens a lot in real estate. And the closing costs are to be wired to an attorney. Somebody inserts themselves in the conversation and says instead of wiring the payment here, wiring, Please wire the payment elsewhere. And then give them a new address. And there is actually a good example of how it happened to a homeowner on thehumanelement.net. And that was a real story. I changed the names and some of the details but it’s a real story that someone I know was impacted by and payment gets sent to the wrong person. The Wrong person is usually a criminal who takes that money and runs. Its theft is theft using technology. And phishing BC scams are a form of phishing. But the really interesting thing about this article was you know what the title is, it says phishing makes phishing campaigns three times more successful. And what it says is that interestingly, click rates for average targeted phishing campaigns increased around threefold from 18 to 53%. When phone phishing, which is also called vishing, was also used by threat actors. And I’m going to give you another real-world example in a moment, but the success rate of phishing, which is vishing over the phone, is it isn’t by itself is not that high. It’s not even used that often. However, it is increasing along with smishing, which is text. But when you combine that with email phishing, it has a three times higher success rate is what it’s saying. This is a course according to the X Force threat intelligence index, which is an FBI. I’m sorry, an IBM not FBI, IBM report for 2022 that came up for 2022. But it’s using numbers from 2021. And again, this is on infosecurity-magazine.com. And so the story will before I talk about that vishing is voice phishing smishing is text phishing. You could phish somebody from a website, you can put I can put up a website, I can clone a website almost instantly, today, and put up a clone of that website and trick people into logging in and giving up their credentials. This happens a lot with Microsoft products. There’s QR phishing, or QRishing I think it’s called QRishing in that it uses QR codes to phish people there is I’m forgetting one of the forms of phishing but as you could tell, there are a number of ways to phish people now. Now the one that gets used the most is email, by far it’s not even close. But the other ones are growing. And with the development of deep fakes, you know where you hear a voice call that pretends to be someone or a video that pretends to be someone else. This has happened a lot in the adult industry or adult entertainment industry. But it’s starting to hit the mainstream a little more and more in the what could come of that is pretty scary. You know, thinking political figures and suddenly you find a video of you know, a president in the US and the video is not real, but it looks real. It looks legitimate. You know, where this can go is scary for sure. It’s limitless. You know, we don’t know where it can go yet, or how we’re going to recognize things like that yet. But it is something that that people in the industry are looking into. But let’s get back to phishing for a moment. So a few years ago now Someone I know came to me and said that their account their, Well, they said their Amazon account was compromised, but in reality, their Amazon account wasn’t compromised. So this is what happened similar to the blog on thehumanelement.net, their email account was compromised by reusing passwords, weak passwords, the already on the dark web, their email account was compromised. They received an email, purportedly from Amazon, the Amazon email said your account has been compromised, please call us and it gives them a number.
She proceeds to call this number, they answer the phone as if they’re Amazon, they sound exactly like Amazon employees would sound. And so yes, your Amazon account has been compromised, we need to reset the password. And then they walked the person through the process of resetting the password on amazon.com. So they took them to the real amazon.com reset the password. And you know, the user, the person I know gets an email saying yes, your password has been reset, except the problem is the attackers are also an email. So they also get the password, the email, reset password. And you know, they go back in, click the link and reset the password again. I think Amazon’s email says if this wasn’t you click here or something along those lines. Or maybe they say, you know, click here to reset the password, whatever it is, whatever the verbiage is, they will because the attackers were in her email, they were able to go back to Amazon and reset the password again. And this went on for a few days. She got frustrated. And the people pretending to be Amazon said okay, she called the number again. Okay, here’s what we’re going to do, in order to prove you are who you say you are. Because you know the password keeps getting reset after she resets it. So in theory, somebody else could also own the account and could be resetting the password. And so they’re trying to say, well, you have to prove who you are. And here’s how you’re going to do it, you need to purchase $2,000 worth of Amazon gift cards and send it to us we of course will reimburse you. So she does this she purchases the Amazon gift cards sends them to whatever they asked her to send them to I don’t know the details of that. And then realizes Yes, she was scammed. Fortunately for her, Amazon gave her the money back. But this is a scam. That worked because they also use the phone and tricked her into calling a number that was not Amazon. So I’m gonna give you a few pointers here. Number one, if you’re ever told, via the phone, or even an email, call this number. Google what the real number is, and call back. So let’s say, for example, you get an email, or phone call, let’s say you get a phone call from your bank. So Bank of America calls you up, says we have an issue with your account, we need to review the account with you and you say okay, hold on. I’m going to call you right back. You hang up the phone, you Google what is Bank of America’s customer service number, you’ll find a number whatever it is, and you call the bank of a number Bank of America number that way, you could do the same with Amazon with PayPal with almost anything, I think Facebook’s probably the only thing you can’t call. But if you have a problem with Facebook, good luck. But you could call any of those companies, you could Google their 800 Number There are directories of 800 numbers out there. Call that number or if you have a bank card to bank card has the 100 number on it. Call that number Do not divulge any other information while you’re on the phone with the people pretending to be Bank of America or whatever bank you use. Okay, you call the customer service number you have on the back of your bank card or the one you Google whatever it is. And then you say I just received a phone call saying, you know, my there was a problem with my bank account. Can you help me out with this, and then they’re gonna tell you, there’s no problem with your bank account. You’re fine. And then the calls over it, you realize that somebody was trying to scam you, but you want up them because you knew that it was scamming you verify that information, always verified information, hang up the phone, call them back. If it really is Bank of America, and there really is an issue, they will understand and they will have no problem with you doing with what you did because you save them the hassle of having to recover money now.
Number two, never ever, ever give out the last four of your social on a phone call. If the person calling you says are the last four of your social XYZ 123 is four digits. I know I get it. Don’t even verify that information. If they have a good idea of where you were born and when you were born. They already have the rest of your social security number unless you were born after 2011 If you were born after 2011 and you’re ready to receive In these calls, then give us a call. Because you have other problems to worry about. Never give out the last four to social. And it’s used by a lot of companies, less and less now, but still being used. I’m looking at you T Mobile, to verify the account holder when they’re calling. You call up, they say, Can you verify the pin on your account, or the last four of your social independence, usually some ridiculous number that you set up 17 years ago, and you don’t remember what it is, you know, the last for your social. So what do you give out the last for your social on the phone? Don’t, don’t do that. Number three, now you’ve heard this podcast. Now you know how email combined with a phone call could be used to phish information, audio, don’t fall for it. Again, there’s going to be a phone number in the email, they’re going to call you from a phone number you have caller id say I’m going to hang up and I’m going to call back the number, the customer service number I have here in front of me, Google it. If it’s Amazon, you Google Amazon. And you call that number instead of the number that called you the number in your email. I’ve detailed some of these types of scams. In the videos that I record on the Nwaj Tech website. At the bottom of the homepage, there are some videos, and every week I do a phishing review. And some of those phishing reviews have like PayPal, PayPal was one of them. I don’t remember the other one was No, it wasn’t Apple, I don’t remember who the other one was. But there was another one. And I showed how those are not the real numbers. Those are fake customer service numbers, you’re going to call them they’re going to pretend to be Pay Pal, whoever it is. But it’s not really them. Maybe the other one was Amazon, I’m not sure I think there’s even a Best Buy one on there somewhere. And Geek Squad, I think there was a Geek Squad one. Again, if you’re getting phone calls in an email, that’s pretty suspicious, to begin with. Apparently not suspicious enough, because it works three times as often. Three times as much if they do have an email and a phone call. And I can understand that seems a little more. Like it’s a legitimate problem. If you’re getting an email and then 30 minutes later, you’re also getting a phone call. And they sound like it’s they have a little sense of urgency in their voice saying, Hey, we have a problem here, we need to address it, here’s what we need to do. They tricked my friend into doing this because they actually took her to the real Amazon website to reset her password. So now you’re thinking, Alright, this isn’t a fake website. This is the real website, I spelled out amazon.com. This is exactly where I go when I want to buy something. This is the real website, there’s they’re showing me how to reset the password on the website, so I must be safe. But what she didn’t realize is this, they’re already in her email inbox. So now they’re monitoring for that password reset. And when they get the email saying your password was reset, they’re going back and resetting it again. This is also a good case. Any case really is a good case for it. But a good case for two-factor or multi-factor authentication. your Amazon account should have two-factor or multi-factor authentication, so should your email. And if they if you have that on both of those, the phone call never happens, chances are the email never happens. And then they cannot get back into your email to reset the password after you’ve already reset the password to the gig is up. So, again, to recap, verify the customer support number, you can either Google it or look on your bank card or some other piece of information you already have in your hand. But you can also go to Google Google’s going to give you the really 100 numbers, or the real customer support numbers, whatever they are, you should use multi-factor authentication. And never give out the last four of your social I’m going to add one more complex password policy. We’ve talked about this. And again, I’ll go back to that big four blog post on my new Washtech website. The Big Four passwords is one of them. Phishing is another one. So they touched on three of the four here phishing passwords. And I’m sorry only two for phishing and passwords.
But vulnerabilities were also the number two threat vector for 2021. So three of the four have been touched the fourth one being Remote Desktop Protocol. But guess what, if you don’t patch that, you’re also vulnerable there. So in a way, we touched on all four of them. Also, if you have not patched for log4shell or Citrix vulnerabilities from 2019 Please take care of that. But again, phishing and vishing with phishing continue to be the dominant force in cyber-attacks and phishing as if you’ve visited our website yet, you will know is a form of social engineering. There are literally toolkits available for free To help you do these types of attacks, and will help you gain access to people’s stuff, passwords, financial records, whatever data, whatever you’re trying to get. Phishing is the number one way in. And typically they combine phishing with vulnerabilities and other things. So but phishing, is almost always involved at some level, or some form of human interaction is involved at some level in an attack. So that’s going to do it for episode two. So until next time, remain vigilant.