Phishing has been a significant threat since the early days of the internet and continues to plague organizations today. With the mass migration to remote working during the pandemic, hackers have ramped up their efforts to steal login credentials as they take advantage of the chaos and lack of in-person user verification. This has led to the revival of the old-school technique of vishing, which, like phishing online, involves using social engineering over the phone to steal sensitive information.
Vishing attacks have been on the rise as a result, with 69% of companies experiencing them in 2021, up from 54% in 2020. These attacks often take the form of job or tech support scams and can be incredibly convincing. In August 2020, the FBI along with the CISA issued a warning regarding remote users being targeted by attackers spoofing organizations' business numbers and impersonating the IT service desk.
One of the most concerning aspects of vishing is the attackers' ability to bypass two-factor authentication (2FA) security measures. 2FA is a popular form of multi-factor authentication that requires users to provide two types of information: a password and a one-time code sent via SMS. Although 2FA is a strong security measure, vishing attacks can bypass it by tricking users into providing their one-time code to the attacker. This highlights the importance of user awareness and training in order to prevent vishing attacks.