How Phishing has Evolved into “Vishing”

Many of today’s data breaches show that cyberattacks are front-ended by phishing scams. This is not a surprising fact since the easiest way for scammers to gain access to sensitive data is by compromising an end user’s identity and information. Things take a turn for the worse if a stolen identity belongs to a privileged user or someone who has more access to sensitive data.

While staying aware of different threats and tactics from scammers is important, businesses should also be aware of how these threats evolve into even greater risks. One such risk is the evolution of phishing into vishing.

A new take on the old scam, vishing attacks are a form of criminal phone fraud that combines one-on-one phone calls with custom phishing sites. Here’s a better look at the new threat and how businesses can protect against it.

Phishing for Safety

By now, cybersecurity professionals are aware of phishing scams, which use social engineering tactics to solicit personal information from users. Threat actors craft phishing emails to appear as if they have been sent from legitimate sources. These emails often attempt to entice users to click on a link that will take them to a fraudulent site that looks real. The user then provides information, such as an account username and passwords that expose them to future compromises.

Businesses have been dealing with this issue for some time now. They now know the importance of proper digital hygiene practices and the importance of cybersecurity insurance that protects them from major financial and legal fallout. But as the scam has evolved, businesses are now on guard for even more risk with vishing.

The cybercriminal's main objective is to persuade the user to reveal their information over the phone or enter the information directly into a website set up by the cyber actor that impersonates the company's corporate email.

How to Protect Against Vishing

There are several measures that cybersecurity professionals can implement to be more proactive against vishing and phishing alike.

• Security Awareness: It all begins with education. Companies can incorporate vishing detection education in security awareness training programs to limit ignorance to the situation's reality. This can also act as a reminder to frequently update training content to account for changes in the different cybersecurity measures.
• Restrict VPN Connections: Businesses can use mechanisms like hardware checks, so user input alone is not enough to gain access to the corporate VPN. Access can also be restricted to mitigate entry outside of allowed times.
• Least Privilege: Configure access controls, including file, directory, and network share permissions with the least privilege in mind. If a user only needs to read specific files, they should not have access to additional files.

In the end, phishing campaigns are only the precursor of credential-based attacks, which are the major cause of today’s cyberattacks. Companies can increase their cyber protection by educating themselves on the scams, cybersecurity insurance, and training to limit liabilities and legal problems.

About Axis Insurance

At Axis Insurance Services, we aim to help our customers identify their exposures and protect themselves. Founded in 1999, we offer insurance programs to a wide variety of professionals and industries including attorneys, real estate, healthcare, architects, and more, and also have a wholesale division. We pride ourselves on offering flexible insurance coverage tailored specifically to each customer’s needs. To learn more about our solutions, contact us at (877) 787-5258 to speak with one of our professionals.