Written by: Daniel Haurey on 06/13/24

We often discuss cybersecurity tactics such as email phishing, where the bad actor delivers a sneaky ask via email in an attempt to lure an employee into clicking on a compromised URL, downloading an infected file, or sharing confidential information about your customers or your company.  But some hackers are more old school in their approach and call their victims, a practice called “vishing.” We often hear about unfortunate instances where an employee answers a phone call from a hacker pretending to be from tech support and then shares access to a device, only to realize later it was all a scam.

In fact, if you follow cyber attacks in the news, you may remember the high-profile incident with MGM Entertainment last fall. The single access point that allowed the infamous cybercrime group “Scattered Spider” to completely shut down several casinos and hotels under the MGM umbrella used that old-school approach – albeit reversed. The bad actors called the corporation’s tech support company and finagled access to the entire network by pretending to be an employee. Unfortunately, the tactic works both ways.

Tips to Avoid Tech Support Vishing Scams

How do you protect your employees and your organization from such a simple but sneaky approach? If you are not encountering any IT issues, and someone calling to be from a tech support company or a vendor partner calls you unexpectedly, here are simple tips to avoid being the victim of fraud:

  1. Ask if you can call them back. Your team should have access to your organization’s IT support phone number; if they receive an unexpected call with a request, make it a policy to call back before taking any action. Use the number on your IT support company’s website or one from your files. Do not call a new phone number or use an email address supplied by the caller.
  2. If a caller says your computer has a problem and requests remote access, simply hang up. These hackers often use phone numbers that are spoofed to look like real businesses in your community or a trusted vendor partner. This is not how real IT support businesses or software vendors operate. If you are unsure, follow the procedure in #1.
  3. Remember that the scam may take the form of an email, phone call, or even a pop-up warning. Callers may say they are from a well-known, large tech company such as Microsoft to make the request seem more legitimate (see #4). They will likely ask your employee to open a file or run a scan using a link they send you, but this is a ploy to get remote access.
  4. Reputable technology vendors will tell you: They do not send unsolicited email messages or make unsolicited phone calls to request personal or financial information, or to provide technical support to fix your computer. If you don’t ask them for help first, they won’t call you to offer support.
  5. Privacy policies for your organization should clearly outline what can be shared with your organization’s business partners and what cannot. Your employees should never divulge passwords or other company information to a third party without internal confirmation.
  6. If you visit a website and a full-screen pop-up warns that your computer has been compromised, do not call the number, or click any links. These are hackers who have infiltrated popular sites to try to sneak past your security protocols.

If an employee realizes a scam might have taken place, that is when you should call your trusted IT partner. MSPs can run assessments and scans to uncover malicious code or hidden apps that can lurk in your network, siphoning off data for weeks or even months. The sooner you involve your IT professional, the more quickly access or damage to your network can be contained.

[Download our tip sheet on preventing wire transfer fraud]

Tip: When selecting a managed IT services partner, ask what security steps are in place to prevent this type of fraud. At Exigent, we follow multifactor authentication for phone calls, using a tool that allows confirmation the person calling in for “support” is a real employee at our client’s organization. Similarly, if you receive a call from Exigent, you can ask for the team member’s name, hang up, and either call our support hotline or enter a ticket to confirm that there is a real issue.

Is your organization concerned about phishing, vishing and all the ways hackers can attack? Consider adding Vigilant Security Awareness Training to your arsenal.