Ride the Lightning

Voice Phishing Attacks Skyrocket!

May 26, 2022

TechRepublic reported on May 24 that a study conducted by Agari and PhishLabs found that attempted voice phishing (also known as vishing) attacks have increased 550% from the beginning of 2021 to Q1 of 2022.

“Hybrid vishing campaigns continue to generate stunning numbers, representing 26.1% of total share in volume so far in 2022,” said John LaCour, principal strategist at HelpSystems. “We are seeing an increase in threat actors moving away from standard voice phishing campaigns to initiating multi-stage malicious email attacks. In these campaigns, actors use a callback number within the body of the email as a lure, then rely on social engineering and impersonation to trick the victim into calling and interacting with a fake representative.”

The explosion in the rate of vishing attacks has overtaken business email compromise (BEC) as the second most reported response-based email threat since the third quarter of 2021.

The number of malicious emails targeting individuals’ inboxes continues to increase quarter-over-quarter as well, following a brief reduction in the final quarter of 2021. This escalation in the rate at which employees receive harmful emails attempting cyberattacks signals a growing need for increased training for employees, as emails can still find ways to bypass spam folders and into a user’s inbox.

According to the study, emails that were deemed potentially harmful received by employees rose to a rate of 18.3% from 2021 to 2022.

These harmful emails were broken down into the following threat vectors by percentage:

• Attempted credential theft (58.7%)
• Response-based attacks (37.5%)
• Malware delivery attempts (3.7%)

Eighty percent of the credential theft attempts were delivered via a phishing link, while 20% came to inboxes via an email attachment. Credential theft is consistently the top threat to employees quarter-over-quarter, according to the study.

“As the variety of digital channels organizations use to conduct operations and communicate with consumers expands, bad actors are provided with multiple vectors to exploit their victims,” said LaCour. “Most attack campaigns are not built from scratch; they are based on reshaping traditional tactics and incorporating multiple platforms. Therefore, to remain secure, it’s no longer effective for organizations to only look within the network perimeter. They must also have visibility into a variety of external channels to proactively gather intelligence and monitor for threats.”

This is the first time we have seen vishing overtake business email compromise attacks. Once again, it is time to update our PowerPoints. The only constant in cybersecurity is change.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225, Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson