Vishing is the New Front Door to Your Cloud Environment and Sensitive Data

Recent cyberattacks have evolved beyond technical hacking. A new, highly successful campaign by the threat group ShinyHunters has been targeting businesses, including users of popular SaaS platforms, not by breaking through software "firewalls," but by tricking employees directly over the phone. This attack vector is known as "vishing" (Voice Phishing), and it is specifically designed to bypass the technical security measures most businesses rely on.

Our TRC leaders have explained vishing attacks in detail and provided key signs to watch for.

The anatomy of a "vishing" attack

Unlike traditional phishing emails, vishing uses live phone calls to create immediate urgency and personal pressure. Because attackers impersonate professional IT support staff, employees are far more likely to comply making vishing significantly more effective than standard email-based attacks.

How the attack works

It can be easy to let your guard down when you believe you are speaking with someone from your company, so it is important to understand exactly how the attack unfolds.

1. The call: An attacker calls an employee, pretending to be from your company’s IT or Help Desk. They claim there is a need to "troubleshoot SSO issues", "update MFA settings", or several other issues to prompt employee action.
2. The fake portal: The victim is directed to a look-alike login page (e.g., sso-company-internal.com) nearly identical to their real company portal.
3. Real-Time theft: As the victim enters their credentials and Multi-Factor Authentication (MFA) code, the attacker captures them instantly.
4. MFA bypass & account takeover: The attacker uses these codes to register their own device, giving them permanent, "trusted" access to your company's network.
5. Broad exploitation: With trusted access established, the attacker freely accesses sensitive data from email and cloud storage, initiating fraudulent transactions, deploying ransomware, or selling access to other criminal groups.

Why your two-factor-authentication might not be enough

Many business owners assume that SMS-based two-factor authentication makes their accounts secure, but the ShinyHunters campaign demonstrates why that assumption is dangerous and commonly exploited. Attackers can sidestep SMS codes in multiple ways: through "MFA Bombing," flooding a user's phone with push notifications until they click "Approve" simply to make them stop; by intercepting one-time codes in real time through a fake login portal before the session expires; or by convincing an employee over the phone to read their code aloud directly to the attacker.

How UHY’s Technology, Risk, and Compliance (TRC) Cyber Group Can Help

Our team helps clients move from "static defense" to a modern identity management approach. We ensure your business is not a "soft target" by focusing on the following:

• Implementation of true MFA: We help you move beyond 2-factor text codes to "Phishing-Resistant" MFA: Authentication applications like Authenticator, Google, Bitwarden that cannot be intercepted by a phone caller, plus any additional factors like face-id or fingerprint.
• Vishing simulations: We test your team’s readiness with controlled, safe "vishing" simulations to identify who needs extra training.
• Identity monitoring: We set up alerts for suspicious logins (e.g., a login from a new device or unknown location immediately following a support call).
• Security awareness governance: We provide the documentation and reporting necessary to show regulators and insurance carriers that your staff is trained and your "human perimeter" is secure.

If you rely on SSO and cloud apps, the human element is your new "perimeter." UHY’s TRC team provides independent validation and advanced tools to ensure your employees don't accidentally hand over the keys to your business.

Upgrade My Vishing Defense