After receiving a seemingly innocent call from your “IT department” to help test a new company portal, you worked with the developer on the phone and diligently followed his prompts as quickly as possible so you could get back to work on this memo your boss wanted. A few hours later, it dawns on you. That call was a little weird and something about it seemed off. Your software developers have never called you directly before and employee beta testing isn’t something that normally happens. Then that “Oh $@!%” moment hits you and you start to get this feeling of buyer’s remorse. This might have been a social engineering attack, more specifically a vishing attack, and we’ll discuss what you should do next if you ever get this feeling.
Report the Event Immediately
No matter what you are doing, the second you realize you are being actively targeted by a social engineering campaign or you may have been compromised, call your IT Team or Security Team immediately. Even if this is a case like the scenario above where you didn’t realize you may done something wrong until later on or even the next day, report it anyway! There will not be any negative repercussions, and on the contrary, your organization should be grateful that you’ve given them some information about an ongoing cybersecurity incident. That way, they can take the next steps to respond to the incident and ensure it doesn’t become a bigger issue. They should be able to talk you through next steps based on the organization’s protocols or simply take over and handle the incident for you at this point. Whatever you do, do not try to hide the event. If you really were compromised, this is just going to make the issue worse and could actually end up with disciplinary action or even liability because you didn’t follow incident response protocols for your company. Do not try to reset your computer or fix it yourself, either. This could potentially destroy important forensic evidence which would be worst case scenario.
It Is Never Too Late!
Again, even if it has been a week or multiple weeks since you realized you could have fallen victim, it is never too late to report the event to the proper incident response representative in your organization. While certain logging or forensic evidence may be gone, at least the team is aware and can start threat hunting activities to determine if the attacker is still in your environment, if they accessed/exfiltrated any sensitive information, or if any other users were targeted. Additionally, they can communicate broadly to the rest of the organization to be on the lookout for this type of attack.
Learn From Your Mistake
It is unfortunate that you may have fallen victim to a sophisticated, well-executed social engineering attack, but this represents a learning opportunity and a chance for you to bring awareness to the rest of your organization about these events. Social engineering campaigns, and vishing in particular, are becoming more prevalent and more sophisticated, so you should not be embarrassed that it happened to you. You should learn from it though, and use it as a good way to increase your overall awareness. Learn the signs of a potential vishing attack to ensure that you do not fall victim in the future and talk to your colleagues about what happened to you to help educate them on the series of events and what to look for. You can always suggest increased awareness training for your organization or even offer to speak at your next security awareness training event to help communicate the dangers of these kinds of attacks. It takes a village to stop vishing and cyber attacks in general, and there’s nothing that can help raise awareness for employees in your organization quite like an attack happening to them.