Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

FBI Warns of Employee Credential Phishing via Phone, Chat

The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms.

The Federal Bureau of Investigation has issued a Private Industry Notification (PIN) to warn of attacks targeting enterprises, in which threat actors attempt to obtain employee credentials through vishing or chat rooms.

Taking advantage of the COVID-19 pandemic, which has forced the broad adoption of telework, cyber-criminals and threat actors are attempting to exploit possible misconfiguration and lack of monitoring for remote network access and user privileges.

An observed shift in tactics, the FBI says, is the targeting of all employee credentials, not exclusively of those individuals who might have higher access and privileges based on their corporate position.

Cybercriminals were observed employing social engineering to target both US-based and international-based employees of large companies. As part of vishing attacks (voice phishing performed during phone calls) using VoIP platforms, employees were tricked into accessing fake web pages and entering their corporate usernames and passwords.

“After gaining access to the network, many cyber criminals found they had greater network access, including the ability to escalate privileges of the compromised employees’ accounts, thus allowing them to gain further access into the network often causing significant financial damage,” the FBI explains.

In one attack, the Agency says, the cybercriminals found an employee via the company’s chatroom, and then convinced them into logging into a fake VPN page to reveal their credentials.

Using the compromised username and password, the threat actors then logged into the company’s VPN and started searching for employees who had higher privileges. They located an employee who could make username and email changes and used a chat room messaging service to phish for their credentials.

The infamous July 2020 Twitter hack, in which three youngsters gained access to social platform’s internal tools and took control of high-profile accounts, is representative of how such an attack is performed: the cybercriminals called multiple employees to phish for their credentials, until they finally harvested those having the privileges they were looking for.

“The Hackers used personal information about the employees to convince them that the Hackers were legitimate and could, therefore, be trusted. While some employees reported the calls to Twitter’s internal fraud monitoring team, at least one employee believed the Hackers’ lies,” the New York Department of Financial Services said in a report detailing the incident.

To mitigate such attacks, the FBI advises organizations to implement multi-factor authentication (MFA) for employee accounts, adopt the least privilege principle (especially for new employee accounts), actively monitor the environment for unauthorized access or modifications, employ network segmentation, and issue two accounts for admins: one for email and another for making changes to systems.  

“With so many people working from home, they are more likely to fall for this type of vishing scam because they don’t have the protective environment of being in their corporate offices,” James McQuiggan, security awareness advocate at KnowBe4, said in an emailed comment.

“Organizations want to include vishing exercises within their robust security awareness, behaviors, and culture programs to ensure employees are aware of current dangers and can take the appropriate actions to reduce the risk of an attack by unauthorized people,” McQuiggan continued.

Related: The Evolution of Phishing: Welcome “Vishing”

Related: CISA, FBI Alert Warns of Vishing Campaign

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.