Cannabis businesses are among the targets of a new form of criminal phone fraud called voice phishing, or “vishing” for short. This scam has risen with the rise of people working remotely at home due to COVID-19, and was the subject of a recent nationwide alert from the FBI and the Cybersecurity and Infrastructure Security Agency.

While the vishing scam has traditionally been aimed at telecommunications providers and internet service providers, the pandemic has broadened its reach to companies likely to employ workers who are active in social media.

Vishing scams are coordinated campaigns designed to obtain company information via its Virtual Private Network (VPN). Many companies today are using VPNs as remote gateways for their work-from-home employees, intending them to be a secure way for these workers to log into the company network from home. And VPN providers routinely point out how these networks allow companies to monitor their employees’ activities and detect data breaches.

Yet in practice, VPNs are vulnerable from bad actors who take advantage of remote employees. Once these attackers identify a target company — and dispensaries accepting virtual currency are a particular favorite — they identify people on the workforce and begin scraping their social media profiles for relevant information. Next, they create a login page that duplicates the company’s own VPN login page and post it on their own domain.

The next step for the attacker is to call a remote employee and pose as an internal help desk or IT colleague with a security concern requiring a login on a new VPN site. Using the personal information gleaned, the attacker sounds legitimate to the employee, who then follows the attacker’s request to log in on the fake VPN page. The attacker will also simulate two-factor authentication or one-time password authentication for added credibility.

As a result, the attacker obtains the employee’s VPN login credentials, which are then used to access company information from databases to financial records. This may also be followed up by a ransomware attack. All the time, the unsuspecting remote employee will have no idea the network has been compromised.

Any cannabis business using remote employees needs to take special caution against vishing, including clear guidance to their staff not to visit alternative VPN URLs on the basis of an incoming phone call alone. VPNs can also be made more secure through hardware checks or installed certificates that add an additional entry layer on top of user password input.