Low tech phone scams easier than attacking servers for private information
Thursday, July 9th 2009 @ 7:56 AM (not yet rated)
Whenever you get a call from somebody saying they are calling from the government, a bank or a supplier's security or accounts receivable department, you have might have to be a little bit rude.
More often, scammers are finding ways to convince employees or individuals that they are with some organization of authority that commands respect. Many people don't want to joke around or give the government a difficult time. So, they answer all the questions dutifully. But that's risky these days. You have to interrupt and make sure you are talking to whom they say they are.
In this scenario, described in Brian Krebs's Security Fix blog (click HERE), the scammers use a conference call to create a pretty slick attack with a convincing situation.
The scammer calls a victim, claiming to be from the security department of the victim's bank. Then, puts the call into a conference call mode, calls the real bank's fraud department, puts the victim side's call on mute, and simply passes through the victim's responses to the verification questions from the bank. That's all the attacker needs to gather in many cases to later launch an identity theft attack, or some other attack to gain more access to the organization's sensitive assets.
I recently had a call from the Canadian Government. The first thing they said was they needed to verify information to make sure they were talking to me. I said, "I have the same problem as you. How do I know you are calling from the government?" Fortunately, they have a process in place to deal with this that most people don't know about. They will tell you to call 1-800-O-Canada, which is the main helpdesk line for the GoC, and verify their callback number. You can then verify the number and call it back to see why they were calling in the first place.
[As a side note, in fact, while they had the process right, when I tried to do this, the main helpdesk said they were not able to verify the numbers, but they gave me another number for the department who initially claimed to be calling me. I was able to call it and finish the business with them. They then took a note to verify the process would work more smoothly in future. But they are on the right track. They should actually tell you this right up front, without you having to ask. They are assuming you will not bother to verify any caller's identity.]
It's a bit of a pain, but can save you a lot of hassle if you start by asking the caller to provide a published number you can call them back at, or some other way to verify their identity before you give up any private information.
| Share | My live security awareness webinars are a quick and affordable way to provide your entire staff with professional quality security awareness training and education - whether it's general training or for specific teams or industries. I offer group rates and can tailor content to your specific needs. Please call or email me at the coordinates below, or CLICK HERE to see my training webinar catalog.
Scott Wright
The Streetwise Security Coach
Join the Streetwise Security Zone at:
http://www.streetwise-security-zone.com/join.html
Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Twitter ID: http://www.twitter.com/streetsec
To receive weekly security tips and other notices about helpful content available on this site, please make sure you are on my list by clicking HERE, and entering your name and email address.
 |
