The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning regarding a new “voice phishing” scam arising from the massive shift to teleworking during the pandemic. Under the new scheme, threat actors posing as the company IT department call workers and request usernames and passwords for the company’s systems in order to log into a new VPN link. The “bad guys” then have access to the company’s existing VPN and log in as if they are legitimate employees.
This unauthorized access creates a threat to corporate assets and to any confidential or sensitive third-party information such as customer details. It may result in privacy issues as well – including fines or litigation based on access to personal information such as HR or marketing profiles.
Because there is so much information publicly available about employees (via company website biographies, LinkedIn and social media profiles, and otherwise), it is easy for the bad guys to appear legitimate, and to cultivate the trust of employees. (“I see here that you’ve been with BigCo for ten years; I’ll bet you’ve seen a lot of changes….”)
Clear Employee Communications Can Help
How can employers combat this new threat? The best way is through clear communications with employees. Alert employees to the existence of this scam, remind them that threat actors and bad guys are actively exploiting stay-at-home workers, and enlist their cooperation and awareness in protecting all the confidential, trade secret, personal, and sensitive information that may be accessible via the company’s IT systems.
If appropriate, send a company-wide email about (1) the circumstances, if any, under which IT will initiate a call to employees and (2) the processes by which new IT initiatives will be rolled out to users. If there are no circumstances in which IT initiates contact, remind employees of that and instruct them not to divulge credentials to anyone that calls them. If it is company practice to send advance instructions and notice regarding IT upgrades and initiatives, remind employees of that.
If possible, include a telephone number that employees can call with any questions they may have about suspicious IT-related process questions.
Remember that employees have been out of the office for many months, may be more relaxed and less vigilant in a home environment where they are managing multiple roles (online school, childcare for younger children, household maintenance, a working spouse or roommates); that they may be using multiple devices, some of which don’t feel as “official” as a laptop or desktop; and that your IT personnel may have changed via turnover or staff growth during the pandemic. All these factors are relevant not only to the current phishing scam, but to preparedness and communication generally. Help your employees by giving them timely and regular reminders of the company’s responsibilities and policies regarding confidential information and access to company systems.