Tue, Aug 2, 2022
Kroll has observed an increase in two social engineering tactics known as “vishing” and “smishing.” These tactics use phone calls, voice altering software, text messages and other tools to try to defraud unsuspecting people of valuable personal information such as passwords and bank account details for financial gain. These types of attacks use similar techniques to the common infection vector, phishing.
In Q1 2022, Kroll reported a 54% increase in phishing attacks, demonstrating the perennial value of social engineering attacks as a valid technique for threat actors. As organizations and end users become more adept at identifying and filtering out suspicious emails, and with easier access to voice emulation APIs, threat actors are pivoting to text messages or voice calls as an easier way to contact a potential victim.
Voice phishing, or vishing, is a tactic where a threat actor utilizes phone calls to trick victims into providing sensitive, personal information by posing as their bank or other trusted organizations as opposed to scam emails that are sent out in phishing campaigns. The same idea goes for smishing except the messages are sent out as scam SMS texts or via various messaging apps, such as WeChat, WhatsApp, Facebook Messenger and many others. In both instances, threat actors will look to build a rapport with their victim in order to encourage or coerce them into sharing sensitive details.
Legitimate services like Voice Over IP (VoIP) may be used by threat actors to conduct such schemes. The use of VoIP makes it easier for actors to create fake numbers that are nearly impossible to track. In some instances, services may have capabilities to allow actors to create numbers local to the victim’s location to make them look more realistic. Actors may also use a method known as Caller ID Spoofing to display a number or identity of an individual or organization that the user already knows and trusts.
Smishing attacks have been growing in recent years, and they were reported in 74% of companies in 2021, an increase from the 61% experienced in 2020.
At the start, smishing attacks were seen impersonating banks and financial services, but more recently, hackers have changed to impersonating package delivery services. Hackers who are making smishing attempts will try to convince their target they are a recognized business. Kroll has recently observed a trend where smishing is used to impersonate CEOs at various organizations. Once a victim is engaged, they are asked to send gift cards to threat actors or carry out fraudulent transactions.
Figure 1: Examples of Smishing
Vishing attacks have also increased in 2022, and have been on the rise in recent years. These attacks were seen in 69% of companies in 2021, which has risen from the 54% experienced in 2020. Vishing attacks have been reoccurring as job scams and tech support scams. A caller will be impersonating a well-known company usually as a pre-recorded message. In calls that are not pre-recorded, a threat actor may appear as if they want to help while repeating themselves and pushing for personal information such as an account number or credit card details. For example, a threat actor may claim there is a potential fraudulent charge in a person’s bank account and ask for passwords or account numbers from there. In 2022, vishing cases have become more frequent, with these occurring more than one-in-four times out of all types of response-based threats.
Kroll was engaged for an incident where an individual with supervisory duties was targeted by an actor via smishing attacks. The threat actor posed as the CEO by sending messages that spoofed his phone number to an employee of the organization. The messages instructed the employee to move their chat away from text messages to an encrypted chat platform, such as WeChat/WhatsApp. Once the conversation had moved to a different application, the threat actor, still posing as the CEO, instructed the employee to make two large money transfers into an account controlled by the threat actor. Kroll examined the phone used by the victim of the smishing attack. During the examination, Kroll identified the applications used to communicate with the victim, which led to the identification of additional communication via email that related to the actual money transfers to the actor. As a result, Kroll was able to determine the initial point of communication between the actor and the victim and establish a timeline of events for the victim organization. Kroll then provided the timeline of events to the client so they could explore avenues of fund retrieval.
There are common patterns that threat actors use during a vishing or smishing attempt. Our experts have compiled a few important indicators to look out for in order to avoid falling victim to one of these schemes:
Our resident expert, Josh Hickman, recommends that organizations provide training to their employees to educate them on how to spot and avoid a vishing or smishing attempt. These trainings should inform employees to:
Ensuring the safety of your sensitive, personal information is crucial, and knowing what information to share and who to share it with can prevent you from falling victim to a social engineering attack. Threat actors continue to evolve their tactics in order to trick unsuspecting victims, so it’s important to stay vigilant and safeguard your information. For further guidance, contact one of our Kroll experts at one of our 24x7 cyber incident response hotlines or connect with us through our Contact Us page.
The article above was extracted from The Monitor newsletter, a monthly digest of Kroll’s global cyber risk case intake. The Monitor also includes an analysis of the month’s most popular threat types investigated by our cyber experts. Subscription is available below.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Digital forensic experts investigate hundreds of Office 365 incidents per year and help strengthen your security.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Improve investigations and reduce your potential for litigation and fines with the strict chain-of-custody protocol our experts follow at every stage of the data collection process.
Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.