It was a short and rather cryptic US-CERT alert.
And it hit inboxes when most of the United States was out of the office for a long Thanksgiving weekend.
You may have missed it, but you definitely should know about it.
CISA scam is underway
Criminals are dialing for dollars and posing as representatives of the Cybersecurity and Infrastructure Security Agency (CISA). CISA, as you may know, is part of the U.S. Department of Homeland Security.
"CISA is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim's questionable behavior and attempts to extort money."
You know cybersecurity has become mainstream when scammers are using it in their shakedowns.
This scam is probably worth a mention at your next security team meeting.
Action to take if a CISA scammer calls you
CISA is asking for your help if you or an employee gets a threatening call from someone claiming to be from CISA.
- Do not respond or try to contact the caller.
- Do not pay the caller.
- Contact your local FBI field office to file a report.
BEC scams and high value cyberattack targets
This CISA scam is a new twist on a tried and true method of using fear and threats in phone calls to make money—known as "vishing" (for voice phishing).
It appears to be similar to the fake IRS reps and police impersonators who can keep you out of jail and erase your supposed bad choices if you just pay them some money.
One of the most prevalent scams hitting organizations now is Business Email Compromise, or BEC. Losses have topped $26 billion globally in the last six years.
As a resource, you may was to check out our SecureWorld web conference: Crime and Email: Real-Life Stories from the Trenches. It focuses on BEC, very cyberattacked corporate executives, and strategies to mitigate these things.
You can also check out our recent SecureWorld Sessions podcast on BEC and the business enterprise model which is fueling this cybercrime.