Social engineering scammers exploit people's inborn desire to help others

Phone Have you ever received a phone call at work by a person who is looking for someone else?

The conversation may go something like this:

Caller: Hi, Joe. It's Bob. I wanted to talk to you about the meeting on the 15th.

You: I'm not Joe. You probably mean Joe in the finance department. His number is 555-5555. But he's out of the office today - would you like his mobile number?

This may seem like an innocent conversation, but if the caller was trying to obtain a private phone number, you may have just unwittingly given that information away in an effort to be helpful.

What about a phone call that you receive at your home from a person who wants to verify a recent purchase?

Caller: Hello Mr. Smith, this is Bob from the hardware store. We need to confirm the expiration date on your credit card for the recent purchase you made.

You: I didn't make a purchase at your store.

Caller: Well, we have a card under your name ending in 1234. Are you saying that is not your card number?

You: No, that is not my card. My card number is 5555 5555 5555 5555.

D'oh!

By now you are probably aware of what happened here. The caller has used a technique known as "deliberate misinformation" to gather information that was previously unknown.

This is a popular social engineering technique, simply because it is so effective. It plays upon our humanitarian side of wanting to help others, or to correct erroneous information. Sometimes, we may do it so quickly that we don't even realize the consequences.

When shown in print, it is easy for us to say that we would never fall for such a scam, but when presented in the correct context, a good social engineer can coax information out of even the most cautious person.

Sadly, social engineering scammers have created a new environment where we must suppress our inborn desire to help others.

Fortunately, you do not have to become a hardened and cruel person because of this. Just keep in mind that the next time that someone wants to confirm incorrect information, all you need to do is alert them that the information is incorrect, yet do not offer any other information.

If you are in an office and you receive a call from a person looking for a co-worker, transfer the call back to your receptionist who can handle the request. Many receptionists are trained in how to deal with phone scams.

In the case of a credit card caller, notify the caller that you will contact the bank to correct any discrepancy. Do not call the number displayed on the caller ID, as that is probably a fake number. Look on the back of your credit card and call the number listed on the card.

You can still satisfy your humanitarian urges by being polite to the caller, and you can keep yourself safe by appealing to your security urges.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. Adam Hauter @ Sherly

    September 11, 2015 at 12:44 pm #

    Well it’s a common technique of stealing sensitive data. Unfortunately many many people aren’t aware of this and are able to easily give the credit card number etc. It’s like taking advantage of someone’s good heart or, as you wrote, humanity.

  2. JimmyDelta

    September 11, 2015 at 2:27 pm #

    "Seems like an innocent conversation"? Seems like a retarded conversation. Joe needs to junk-punch "You" for giving out his info.

  3. Anonymous

    September 12, 2015 at 11:17 am #

    Good advice.

Leave a Reply