FBI: Cyber criminals target employee credentials via voice phishing attacks

FBI: Cyber criminals target employee credentials via voice phishing attacks

The FBI issued a private industry notification of cyber criminals targeting employee credentials via voice phishing or “vishing” attacks.

The Federal Bureau of Investigation (FBI) in close coordination with the Department of Homeland Security (DHS) issued the notification on January 14, 2021. The advisory warns bad actors are targeting employees with network access to escalate privileges on enterprise systems.

Starting in December 2019, the FBI first observed the cyber criminals targeting employees in large international companies using vishing, a form of social engineering designed to exploit phone calls to users of voice-over-IP (VoIP) systems.

The threats have increased this past year since more enterprises have had to adapt to COVID-19 lockdowns and work from home. As a consequence, many organizations have had more difficulty in monitoring their networks against these threats.

“In one instance, the cyber criminals found an employee via the company’s chatroom, and convinced the individual to log into the fake VPN page operated by the cyber criminals. The actors used these credentials to log into the company’s VPN and performed reconnaissance to locate someone with higher privileges,” the FBI wrote in the notification.

“The cyber criminals were looking for employees who could perform username and e-mail changes and found an employee through a cloud-based payroll service. The cyber criminals used a chatroom messaging service to contact and phish this employee’s login credentials.”


The FBI provided multiple mitigations against vishing threats to include, but not limited to:

  • Use of multi-factor authentication (MFA)
  • Limit VPN users to “least privilege” and review all network access periodically
  • Scan and monitor for unusual activity
  • Network segmentation (break up larger into smaller networks to limit access to more sensitive networks and data)
  • Split out normal user accounts (e.g., email, reports, remote access) from admin accounts (that have higher level privileges).

Related Articles