Your employees are faced with an onslaught of sophisticated scam email messages every day. And they are only becoming increasingly more convincing and frequent. One of the more popular tactics we have seen this year is what is known as callback phishing. This approach adds a human element to make the scam more believable and considerably more successful against uneducated end users. We touched on this topic briefly in a past post about Malvertising, but today we will take a more in depth look to understand what callback phishing is and how to defend against this cyberthreat.
A call-back phishing scam is a type of phishing in which the attacker sends an email that appears to be from a legitimate source, such as a bank or software vendor. The email will typically ask the victim to click on a link to verify their account details or to contest an unexpected charge on their account. This link will often take the victim to a landing page that displays urgent messaging and a phone number to call in order to resolve the issue. Occasionally, there may not even be a link, just a phone number in the body of the email. This approach is used to evade sophisticated email security tools that scan email messages for malicious links. A fantastic example of how cybercriminals evolve to combat modern security measures.
Once the victim calls the phone number, they will be connected to a real person who pretends to be a representative of the legitimate company. This person will often feign sympathy and act as if they are there only to help the victim resolve the issue. Once they feel like they have gained the target’s trust, the attacker will then try to obtain sensitive information from the victim, such as their username and password or credit card information or gain access to the target’s computer, under the guise of verifying their account information.
The attacker will often use social engineering tactics to try to convince the victim to reveal this information or allow a connection, such as claiming that there has been suspicious activity on their account, a significant charge or purchase has been made, or that they need to update their security settings.
Once the attacker has obtained the victim’s sensitive information, they can use it for a variety of nefarious purposes, such as gaining access to other business or personal email accounts, moving money from their bank account, or using their credit card to make fraudulent purchases. If the attacker has gained access to the victim’s device, they will often install malware or establish persistent access to launch other attacks.
Be wary of emails and phone calls from unfamiliar sources: If you receive an email or phone call from an unfamiliar source, be suspicious. Do not provide any sensitive information unless you are certain that the source is legitimate. If you are concerned, reach out to the company or organization directly from publicly available sources such as a trusted search engine.
Check the URL: If the email contains a link or you are directed to a website to provide account information, check the URL to make sure it is legitimate. Look for the “https” in the URL, which indicates that the website is secure. Also, look for any spelling or grammar mistakes in the URL or website, as these can be signs of a fake website.
Never give out sensitive information over the phone: Legitimate companies will never ask for sensitive information over the phone, such as multi-factor authentication codes, your username and password, or credit card information. If someone claiming to be from a legitimate company asks for this information over the phone, it is likely a scam.
Use multi-factor authentication: Multi-factor authentication (MFA) can help protect your accounts from being compromised by a call-back phishing scam. With MFA, the cybercriminal will need more than your passwords to access email or financial accounts. Enabling MFA everywhere possible is one of the best ways to secure sensitive accounts.
We encourage you to discuss this approach to phishing with your staff. Cybercrime is constantly evolving, and it is the business owner and administrator’s responsibility to keep their employees educated and up to date on the latest security trends. We know that cybersecurity awareness can be incredibly time consuming, and difficult to manage, but we can help! If you are interested in learning more about automated cybersecurity awareness training and testing for your organization, reach out to us today.