Vishing attacks were prominent in Q4 2022, increasing 142% from Q3 2022 according to the February 2023 Trellix Threat report. Vishing or “voice phishing” is the act of making fraudulent phone calls to manipulate a person. Attackers will target sensitive information that can lead to a data, network, or financial breach. When malicious actors call, they often employ social engineering tactics to trick their targets. They may pose as an authority figure, technician, or fellow employee. Such was the case for Twitter in the summer of 2020. Impersonating as internal Twitter employees, attackers made ..read more

What would you say is the most effective form of cyberattack? Most of us are familiar with threats such as ransomware, which usually involves phishing emails. However, there is one cyberattack vector which is a rising threat, that is vishing or voice phishing. Vishing uses the telephone to elicit information from targets that could lead to network, personal, or financial compromise. Vishing has become the second largest vector (next to email phishing) that we see today. With just one phone call, an enterprise can suffer devastating consequences. This is why security awareness and training are ..read more

High-profile data breaches, attacks on essential infrastructures, and targeted cyber warfare made 2022 a pivotal year in the cybersecurity field. It challenged an already sophisticated threat landscape. All of this has had drastic effects on organizations. It is reported that about half of CISO’s felt at risk of a cyber-attack last year. The many broad and varied attack vectors left those in leadership with a lack of clarity. Additionally, two-thirds of cybersecurity decision makers felt unprepared to defend against common threats in 2022 because of increasing staff turnover and hybrid working ..read more

Over the last few years, we have seen a concerning rise in vishing. Vishing is the practice of eliciting information or attempting to influence action via the telephone. Statista reports that according to surveys of IT professionals conducted in 2020 and 2021, nearly 7 of 10 IT professionals reported having received a vishing call in 2021. This is a 54% increase since 2020. Not only is vishing becoming more prolific, but entire call centers are now being dedicate to it! One such call center was recently discovered in Ukraine, where 40 people were arrested in connection with malicious vishing ..read more

For years, we have known about phishing as an effective vector into corporate networks. Malicious actors use phishing to obtain credentials and other sensitive data, install malware and a lot more. Recently, the SMiShing vector has taken center stage mainly due to the Twilio breach. This breach has undoubtedly caused CSOs and other information security staff sleepless nights. While phishing testing and training may have become mainstream, SMiShing testing is lacking. In part, it is lacking for legal reasons. Image: Incident Report: Employee and Customer Account Compromise – August 4, 2022 (twi ..read more

Cybersecurity is a critical issue that affects everyone who uses the internet, both individuals and corporations. Unfortunately, there are many myths and misconceptions about what does and does not work when it comes to protecting yourself online. In this article, I will debunk some of the most common cybersecurity myths.  I’ll also provide some tips on what you can do to keep your staff and your information safe. Myth #1: Macs Are Immune to Viruses Many people believe that Macs are immune to viruses, and therefore don’t need to worry about installing antivirus software. This is simply n ..read more

Social-Engineer, LLC (SECOM) actively works with financial institutions to test and give guidance on their employees’ resilience against phone phishing, or vishing attacks. These are extremely successful engagements in every way. We will discuss two main institutions. One has opted to use SECOM’s levelized vishing program. The structure of this program tests employees against various levels of sophistication based on their performance. When a person defends against a test in one level, we promote them to the next, more difficult, level in the coming weeks. The other institution requested the c ..read more

Every year, billions are being spent globally on security awareness training. Yet, close to 60% of all the breaches we see are directly related to an employee taking an insecure action that leads to that breach. (ie. Clicking a link, giving out credentials, allowing 2FA Bypass) One report said that in the next two years companies will be spending $10 Billion (yes with a B) on security awareness training per year globally. I am not sure about you, but if I am spending $10 on something I want it to be effective, let alone $10 billon! This is yet another area where spending more does not mea ..read more

Imagine you receive an email from your boss saying that there’s a new promotion at work. All you must do is log into the secure portal provided, do a 5-question survey, and you’ll get a $200 bonus that month. “Wow”, you think. “This is just what I needed to cover my unexpected medical expenses! What a relief!” You sign in and immediately get notified that you’ve fallen for a phishing test. How do you feel? You’re likely defeated, upset, and maybe even angry. “That wasn’t fair!” you think. What do you, the reader, think? Was it a fair test? Some might say yes. Attackers don’t care about your me ..read more

Business Email Compromise (BEC), a type of phishing fraud, consistently tops the FBIs list of most financially damaging online crimes. Businesses were pummeled by BEC fraud in 2021 with over 70% reporting a BEC attack. The 2021 FBI’s Internet Crime Complaint Center (IC3) report documented 19,954 Business Email Compromise/ Email Account Compromise (EAC) complaints with adjusted losses of nearly $2.4 billion. In other words, BEC fraud accounted for nearly a third of the total $6.9 billion cyber losses in 2021.   Photo by Elisa Ventur on UnsplashCommon BEC Examples and a New Virtual BEC Sche ..read more