What is going on?
Vishing, or voice-phishing, is a fraudulent method when attackers use phone calls to lure sensitive information from their victims. Fraudsters usually pretend to be legitimate organizations (banks, government offices, etc.) and try to instill a sense of credibility in front of their victims. The principle of the attack is to use manipulative techniques (pressure, threat, urgency), which should make the victim give the attacker the data he wants – usually sensitive data such as login names, passwords, or credit card numbers. In other cases, the attacker wants the victim to perform a particular action, for example, installing malicious software or transferring money to an unknown account.
Computer security incident – "Houston, we have a problem!"
Imagine a situation from everyday life: you get a call from an unknown number with a Czech or even a foreign area code - nothing new under the sun, you say to yourself. When you pick up the call, the caller tells you in broken English that he is a Microsoft employee and informs you that a severe cyber incident has been identified in your device. Additionally, he tells you that one of the things he needs you to do is install software that will fix the security issue immediately. We have encountered precisely this type of attack in recent days at MUNI.
If you follow the caller's instructions, your sensitive information or work data could be stolen. Alternatively, you could install malicious software (e.g., ransomware) that could encrypt your device, rendering it unusable. It is also not an exception that an attacker can gain control over your device.
Are you asking yourself, "How did the attackers get my number?"
Attackers use different methods to reach personal or work contacts. One option could be that the attacker tries to dial random phone numbers or targets an organization's website where the phone numbers are publicly listed. Another possibility is using an employee account to spread phishing e-mails and extract the necessary data from internal databases.
What to do?
The golden rule is: "Approach critically the demands placed on you through virtual communication". To do this, we recommend that you stick to three principles:
- Do not share any information over the phone.
- Verify the information in relevant and official places.
- Immediately report the incident to the Masaryk University Cybersecurity Team.