The MGM casino hack may have started with a phone call

The Future. Last week, MGM Resorts, whose portfolio encompasses 31 hotel and gaming destinations around the world, reported a “cybersecurity issue” that wreaked havoc on its systems, forcing the company to downshift into manual mode to stay operational (think hand-written receipts). While there’s been no official confirmation of who hacked MGM or how, the supposed method, “vishing,” or gaining access to a system through a phone call, is a social engineering technique that many companies fall prey to. If the MGM hack has exposed the most vulnerable area of cybersecurity, it may be human nature… in other words, our gullibility.

Big con artist energy
Apparently, all it took was one convincing phone call to MGM’s IT help desk for hackers to obtain access to the company’s systems, according to Vox.

• Hackers can learn a lot about a system, company, or employee just from what’s publicly available online. They don’t need more than LinkedIn profile information to pull off a believable impersonation.
• A vishing attack can be as simple as picking up the phone and making a request (like a password reset) with a sense of authority or urgency. Companies without verification processes to prove a caller is who they say they are might be the most vulnerable.
• Rather than phishing, which is done through email, vishing appears to be the easier and more effective way to breach an organization. A 2022 IBM report discovered phishing attacks that included phone calls were three times more successful than those that didn’t.

Sneak attack
Most industries are no strangers to ransomware attacks, but many companies still overlook vishing in their employee cybersecurity training and fail to check for vulnerabilities in their systems.

Once they realize one good social engineering technique is enough to crush even the best defenses, they can better protect themselves… and we, the consumers.