Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.
Learn how Cobalt’s Pentest as a Service (PtaaS) model makes you faster, better, and more efficient.

Casino Cyberattacks: A Wake-Up Call on the Threat of Vishing

As casinos and businesses in general increasingly rely on digital technology, they are becoming more vulnerable to cyberattacks.

One of the most dangerous vectors is vishing, which involves using social engineering tactics using phone calls and voice chat to deceive victims. Voice phishing varies from traditional phishing attempts that occur over text message or email.

Businesses must be aware of the risks posed by vishing calls, whaling, and other phishing techniques and take steps to protect themselves.

This article provides an overview of recent casino cyberattacks, discusses how attackers use vishing tactics, and suggests ways businesses can protect against this threat with security awareness training and mitigation strategies.

Overview of Casino Cyberattacks

The casino industry is no stranger to cyberattacks, and recent attacks show how damaging they can be for this industry. Reports suggest vishing is a recently popular attack vector used to target gambling businesses.

Early reports confirmed by Okta suggest at least one of the recent casino breaches was a part of a string of 5 incidents conducted by a group known as Scattered Spider. The attackers tricked the IT helpdesk to gain access to the networks.

Two Casinos publicly associated with these attacks include MGM and Caesars. Caesars opted to pay the $15 million ransom demand. This is despite the fact that authorities such as the FBI discourage companies from paying the ransom.

On the other hand, MGM suffered down time after they refused to pay the ransom

As such, organizations must be aware of the potential risks posed by this type of attack and take steps to protect themselves. This includes educating employees about the dangers of vishing, monitoring suspicious activity on their systems, and responding quickly if they detect something out of the ordinary. 

With appropriate preparation and awareness, companies can better protect themselves from malicious actors looking to exploit vulnerable employees or confidential data.

The Risk of Vishing in Businesses

The risk of vishing or phishing attacks in businesses is an ever-growing concern. 

Vishing uses social engineering via voice chat or phone calls to manipulate employees into providing sensitive information or access to systems. 

Attackers can use vishing for a variety of reasons, from gaining access to confidential data such as passwords and financial information, to the entry point for installing malware on computers within an organization's network.

To protect against vishing, businesses must be proactive in educating their teams about the risks posed by these attacks. Companies should implement security awareness training so that employees are aware of how to recognize and respond to vishing attempts when they occur. 

Moreover, companies should also monitor suspicious activity and have a response plan ready in case any incidents are detected. It's important to stop a security incident before it becomes a breach.

It is also important for businesses to be prepared in the event that a successful attack does occur. Implementing appropriate measures such as data backup, password policies, and access control can help minimize damage. Additionally, organizations should have a breach response plan in place for informing customers if their data has been compromised due to a successful attack.

By understanding the tactics used by attackers and implementing appropriate measures, businesses can better protect themselves from the threat of vishing. Furthermore, with the proper preparation and security awareness training, businesses can help ensure they remain secure from attackers looking for any opportunity they can find to exploit weaknesses in their infrastructure.

Common Vishing Tactics Used by Attackers

Vishing attacks can take multiple forms, all of which are based on the use of social engineering techniques to acquire sensitive information from unsuspecting victims. 

Attackers may pretend to be customer service representatives or government agencies, attempting to obtain private information such as password credentials by phone. Additionally, in the case of the recent casino attacks, attackers contacted the company's IT Helpdesk to gain access. Similar to spear phishing, where attackers target specific employees in an effort to access confidential data. 

For cybercriminals to successfully launch vishing scams they must first gain access to their target's contact details - this could be done through exploiting weaknesses in the system or accessing publicly available contact information. Thus, it's important that company's shield potentially sensitive information such as their help desk contact information from public view.

Other tactics often seen in this attacks include:

  • The attacker will create a sense of urgency.

  • Robocalls target many different phone numbers.

  • Scammers ask for personal details such as credit card numbers, bank account, social security number, or other information for identity theft.

Businesses should be aware of the potential risks posed by vishing and take steps accordingly. This includes educating employees on how to identify suspicious activity and having a response plan ready in case any attempts are detected. By executing security awareness training programs and monitoring for suspicious activity, organizations can better protect themselves from malicious actors using vishing tactics.

Preventing Vishing: Security Awareness Training

Businesses must take proactive measures to protect themselves from the danger of vishing. 

One key step in doing so is security awareness training. This should include instruction on the most commonly used tactics that attackers deploy. It’s important to highlight to employees what types of information phishing attempts may seek and how to identify suspicious activity or requests. 

To ensure maximum protection against these threats, organizations should have policies requiring authentication of all incoming requests before any action can be taken, as well as an appropriate response plan for incidents that arise.

By arming employees with the knowledge and skills needed to recognize and respond appropriately when faced with a potential vishing attempt, businesses can help keep customer data safe from malicious actors. Security awareness training is an invaluable tool for protecting against the threat posed by vishing attacks.

Preventing Vishing: Incident Alert and Breach Prevention

In order to prepare for the possibility of vishing, companies must take proactive steps to protect themselves beyond awareness training. 

Companies should be prepared with an actionable response plan in the event that a vishing attack is detected, and should also establish security protocols and access control policies that are designed to prevent such attacks from occurring in the first place.

Additionally, investing in cyber liability insurance can help offset any costs associated with mitigating damage caused by successful attacks. Taking these precautionary measures can help ensure that your business is protected.


To sum up, recent cyberattacks against casinos highlight the importance that cybersecurity should not be taken lightly. To this point, vishing can be a dangerous vector for these attacks. 

Companies must take proactive steps to protect their digital environments, such as implementing security awareness training and proper mitigation strategies. Additionally, access controls and authentication can help provide an extra layer of protection against malicious actors attempting to exploit vulnerable sources.

In conclusion, taking these proactive steps will not only help protect digital systems but also reduce any potential damages associated with successful attacks.

New call-to-action

Back to Blog
About Jacob Fox
Jacob Fox is a search engine optimization manager at Cobalt. He graduated from the University of Kansas with a Bachelor of Arts in Political Science. With a passion for technology, he believes in Cobalt's mission to transform traditional penetration testing with the innovative Pentesting as a Service (PtaaS) platform. He focuses on increasing Cobalt's marketing presence by helping craft positive user experiences on the Cobalt website. More By Jacob Fox