Don't trust caller ID info; can be spoofed easily: Cyber advisory to govt officials
A cyber security advisory has cautioned government officials against trusting the caller ID information that pops up while receiving a phone call, following a spurt in “vishing” attacks aimed at compromising confidential personal information and gaining unauthorised access to official systems.
“Attackers may impersonate trusted entities such as senior government officials, law enforcement agencies or technical support personnel,” the advisory issued recently by the National Informatics Centre (NIC) reads.
The severity of the communication has been categorised as “high”. It has specified that attackers “manipulate” caller ID information to make a call appear as if it is coming from a “legitimate government number”. The communication sent to multiple government departments and ministries said it was issued as in recent months, there had been an increase in vishing attacks targeting government officials to compromise confidential information and gain unauthorised access to official systems.
Vishing or voice-phishing is a social engineering attack where scammers use phone calls or voice messages to manipulate individuals to share sensitive information such as log-in credentials, personal information and financial details.
The attackers also deploy the tactic of conveying a “sense of urgency”, “coercing” targets into revealing information by implying severe consequences for non-compliance and using “complex technical language” to confuse or intimidate targets, making them more likely to comply, the advisory says. It has asked government officials to be cautious against such techniques as it has underlined that caller ID information can be “easily spoofed”.
“Do not trust the legitimacy of the caller based solely on the displayed number. Cross-check any caller claiming to represent an official agency with official records,” the communication advised. It has also asked officials to mandatorily verify the caller's identity through government channels before sharing sensitive information. The advisory has asked them to call back the organisation or individual using publicly available contact information.
Officials, according to the advisory, should always “be suspicious of any unsolicited calls asking for personal or confidential information, especially when the caller is creating urgency or panic to pressure compliance”. “Take time to verify the information provided by a suspect caller,” the advisory said. It has also asked government staffers to practise all established protocols for ensuring safe cyber interaction during work and otherwise.