There's been a big rise in cyber criminals combining fraudulent emails and telephone calls to trick victims into disclosing sensitive information like passwords and bank details.
Known as vishing attacks, criminals and scammers telephone victims and attempt to use social engineering to trick them into giving up personal data.
Common scams involve attackers claiming to be from the victim's bank, the police, or even cybersecurity or software companies. Often, they use scare tactics to encourage victims to give up information like bank information or passwords as a matter of urgency.
The attackers can even engineer the telephone number and caller ID to look legitimate, making their claims more convincing.
Now, in an effort to make vishing attacks look even more legitimate, cyber criminals are using what cybersecurity researchers at Agari, by HelpSystems describe as 'hybrid' vishing attacks. These are different to regular vishing attacks because they use multiple different stages, first contacting the victim with a phishing email lure containing a phone number that they're asked to call.
The emails will often claim a state of urgency in order to panic the target into calling the number – for example, it could claim that you're about to be locked out of your bank account, or a transaction has been made without your permission and you should call the number to talk to the bank.
When the victim calls, they're connected to a scammer claiming who attempts to extract sensitive information from them under the false pretences of helping the victim rectify the false problem they've been told they have. Unlike many phishing emails, the messages don't contain attachments or malicious links, so they're more easily able to bypass spam filters and anti-virus protections.
According to research by Agari, there's been a 625% in hybrid vishing attacks over the last year.
"These emails are particularly adept at getting past attack controls because they lack the typical links or attachments that are flagged by security teams, and instead initiate attacks on customers via phone numbers. This not only evades security teams but also catches busy users off guard," John Wilson, senior fellow responsible for threat research at Agari told ZDNET.
"With the increase of work-from-home employees, threat actors know that many of their targets no longer work near an internal expert within an office setting that they can turn to, to help validate the email, and while most scams promote a sense of urgency, employees will oftentimes act before thinking twice, so they can productively work through their daily tasks," Wilson explained.
Researchers warn that vishing and other email-based phishing attacks will continue to be a problem – but there are steps with organisations can take to help prevent attacks.
"Capabilities to automatically detect and remove threats from all infected employee inboxes before users can interact with them also plays a critical role, as well as a proper security training regimen, to prepare users to be on the lookout for such threats," said Wilson.