Nefarious voice traffic attacks like “vishing” are up by over 500% since last year, but most security and IT pros don’t protect it as a critical attack surface. Security tools are primarily focused on the data network (like web and email), but the voice network is easily infiltrated through vishing, smishing, or spearphishing using social engineering tactics against employees as the weakest link.
We spoke with Roger Northrup, CTO of Mutare, to discuss top cyber-attacks exploiting voice networks and how organizations can defend themselves.
What makes cyberattacks exploiting voice networks so dangerous?
Cyberattacks on voice networks pose serious threats to organizations from social engineering scams that are executed through robocalls, voice phishing (vishing) attacks, SMS or text phishing (smishing) attacks, or even spear-phishing attacks that target senior leadership.
When criminals can earn an employee’s trust to share information over the phone, they may gain access to critical systems for customer, employee, and stakeholder data. Such attacks can lead to dangerous data breaches or intellectual property thefts, or they can at least reduce employee productivity through the distraction of unwanted calls.
The newly released Mutare Voice Network Threat Survey found that nearly half of organizations (47%) experienced a vishing or social engineering attack in the past year. In one technique, a social engineering hacker may pose as an internal IT technician who innocently requests a password to help secure the company network, and then goes on to steal proprietary data.
Why do hackers target voice networks?
Bad actors use a range of malicious techniques to steal private data and IP which can then be sold over the dark web. Nefarious vishing attacks are up by over 500% since last year, but most security and IT pros don’t protect the voice network as a critical attack surface. Security tools mainly focus on the data network for web and email, but the voice network is easily infiltrated through vishing, smishing, or spear-phishing attacks that deploy social engineering tactics against employees as the weakest link.
In fact, the biggest source of security risk stems from employee errors, according to 43% of survey respondents. That ranking was followed by the risk from email (36%), endpoints (35%), and data networks (17%). Only 10% of respondents cited their voice networks and phone systems as the biggest source of security risk in their organizations, reinforcing a widespread lack of awareness about this problem.
What are the different types of attacks?
There are multiple types of voice network attacks. A Telephony Denial of Service attack (TDoS) makes a telephone system unavailable to the intended users by preventing incoming and/or outgoing calls. The objective is to keep the distraction calls active for as long as possible to overwhelm the victim's telephone system, which may delay or block legitimate calls for service.
The increase of ransomware on mobile devices poses another serious risk for organizations that allow employees to use their personal mobile devices in the workplace (BYOD). Security experts have found examples of ransomware being transferred from a mobile device to a networked system via corporate Wi-Fi, which can happen by employees clicking on a malicious text message link.
Still another approach involves vishing attacks such as the devastating Robinhood data breach when an unauthorized party socially engineered a customer support employee by phone to obtain access to customer support systems. What best practices should organizations follow in order to stay protected?
All calls are either wanted or unwanted. The goal is to block the unwanted calls and receive the wanted calls. To do so, companies should implement comprehensive security awareness trainings to protect against bad calls that get through to employees. Red flags should immediately go up to warn users not to give out any info, and to just end the call.
More than one-third (36%) of survey respondents cited security awareness training as the top solution to protect voice networks from vishing and smishing attacks. That approach was followed by traffic firewalls (34%), spam blockers (26%), training for vishing attacks (20%), training for social engineering (23%), and threat detection (13%).
Also, new CAPTCHA technologies can identify bad callers and block those calls until more data is gathered. Security teams can send questionable calls to a CAPTCHA that will quarantine the call to analyze whether it is human or a bot.