There is news about identity theft and data breaches almost
daily. Protective measures to adopt and
implement normally accompany the reports.
The protective measures provided often consist of password security,
document shredding, utilizing antivirus software, etc. They are all great protective measures to
implement, however, one thing that always seems to be missing from the list of
protective measures are measures to protect against scammers that choose a more
direct approach to carrying out their malicious intentions.
The direct approach is targeted at the weakest link in any
security program. That weakest link is
people. Scammers will often try to
obtain information to carry out their plan or obtain access to unauthorized areas
by simply developing a scenario and carrying it out in order to persuade a
target to release information or comply with whatever request solicited. This type of attack is referred to as
pretexting (Hadnagy, 2011, p. 78).
Pretexting can be complex and involve hours upon hours or
research and preparation. It can also be
simple and still be very effective.
Pretexting will often involve the scammer taking on a different
identity. When a scammer takes on a
different identity they can just say they are someone they are not over the
phone or they can act and dress like someone else. For example, a scammer may call a target and
claim they are someone from with a utility company or they may obtain a utility
company’s uniform and make face-to-face contact with the target.People generally trust other people and when a scammer can take advantage of that and combine it with other tools then they are usually effective at getting most people to do what they ask them to do, especially if the scammer develops a strong plan and rehearses it. It is scary stuff and you are probably thinking about never being able to trust another person ever again. That is not the intent of this post. The intent is to make you aware of the attack method and to practice the following when confronted by someone you just met that is asking you for information:
1. Follow your organization’s policies and procedures for relinquishing information.
2. Verify the person’s identity
3. If it just does not feel right then reframe from
relinquishing any information and report the incident to the proper authorities
immediately.
References
Hadnagy, C. (2011). Social engineering: The art of human
hacking. Indianapolis, IN: Wiley
