Call Us Today! (716) 372-1325 [email protected]

There has been an alert from the FBI and CISA detailing a new internet scam of people once again trying to obtain financial and other confidential information. You may ask yourself, “Is my company being scammed?” Now’s the time to reassess your company’s cybersecurity system and your Computer Security Incident Response Program (CSIRP). As always, Acme Business can help with any cybersecurity need your business may have.

“The COVID-19 pandemic has resulted in a mass shift to working from home, resulting in increased use of corporate virtual private networks (VPNs) and the elimination of in-person verification” according to Fox Point Solutions. “In mid-July 2020, cybercriminals started a vishing* campaign—gaining access to employee tools at multiple companies with indiscriminate targeting—with the end goal of monetizing the access. Using vished* credentials, cybercriminals mined the victim company databases for their customers’ personal information to leverage in other attacks. The monetizing method varied depending on the company but was highly aggressive with a tight timeline between the initial breach and the disruptive cash-out scheme.”

How to reduce your risk of being scammed

Organizational Tips

  • Restrict VPN connections to managed devices only, using mechanisms like hardware checks or installed certificates, so user input alone is not enough to access the corporate VPN.
  • Restrict VPN access hours, where applicable, to mitigate access outside of allowed times.
  • Employ domain monitoring to track the creation of, or changes to, corporate, brand-name domains.
  • Actively scan and monitor web applications for unauthorized access, modification, and anomalous activities.
  • Consider using a formalized authentication process for employee-to-employee communications made over the public telephone network where a second factor is used to authenticate the phone call before sensitive information can be discussed.

End-User Tips

  • Verify web links do not have misspellings or contain the wrong domain.
  • Bookmark the correct corporate VPN URL and do not visit alternative URLs on the sole basis of an inbound phone call.
  • Be suspicious of unsolicited phone calls, visits, or email messages from unknown individuals claiming to be from a legitimate organization. Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information. If possible, try to verify the caller’s identity directly with the company.
  • If you receive a vishing* call, document the phone number of the caller as well as the domain that the actor tried to send you to and relay this information to law enforcement.
  • Limit the amount of personal information you post on social networking sites. The internet is a public resource; only post information you are comfortable with anyone seeing.
  • Evaluate your settings: sites may change their options periodically, so review your security and privacy settings regularly to make sure that your choices are still appropriate.
  • For more information on how to stay safe on social networking sites and avoid social engineering and phishing attacks, visit the CISA Security Tips below.
  • Avoiding Social Engineering and Phishing Attacks-CISA recommendations
  • Staying Safe on Social Networking Sites-CISA recommendations

With the world transforming everyday, it’s becoming more and more important to protect your business from online invaders. Contact Acme Business, their team of experts can help with all your cybersecurity needs. 

* Vish – to try to obtain financial or other confidential information from people by placing phone calls, typically automated, that seem to be from a legitimate organization, usually a financial institution.