Social Engineering

If the "IRS" calls...

The “IRS” called me last week stating that they just audited my 2017 returns and that I owed them $1627.59.  The caller indicated that I needed to make a payment quickly or the police would be coming to my house to arrest me.  The caller then asked for my social security number to verify that they reached the right person.  Bells started ringing in my head – but it was 28 degrees outside and it was one of the few days that I had no pressing deadlines and I wanted to have a little fun.  So I made up a 9 digit number.  The caller asked me to repeat it and then confirmed that yes they were looking at the correct tax return.

The caller then asked how I would like to pay this overdue amount, and suggested I give him my credit card number.  I sadly informed him that my credit card was maxed out and that I was currently only able to make minimum payments having recently lost my job.  He then suggested that I get a debit card.  I told him that would need to get a loan from the bank for that much money.  He asked my how long that would take and I told him a couple of days at least.  He then got a bit angry and told me that I had 24 hours to get the money or he was going to send the police over and they would start foreclosure proceeding on my house.  He would call back tomorrow.

After he hung up I called the IRS tax fraud department at 1-800-366-4484 and reported the incident.

Cyber Crime Tape

Which Calls are Legit?

I was feeling pretty smug about myself – knowing this was a scam from the get-go but then I got to thinking what if I was at work and got a call asking for information about the people there or our network – would I be so savvy?

I subscribe to a number of online security magazines, go to tradeshows, conferences, etc.  All of these activities require that I provide a contact name and number, so I get a number of outside calls each week asking for information about my organization.  It is important to understand that not every outside call is a social engineering attack, but all calls that you don’t originate in which the caller asks for information about your organization should be carefully answered so as not to reveal information that may lead to an attack.  The following are some examples of phone calls that I have handled in the past.

Sample Unknown Caller Responses

A caller asks to speak to an employee that is no longer with the organization.  The employee is usually in the IT organization.  I usually reply that individual is no longer with the company.  No, the position has not been backfilled.  The individual usually asks for my name, to which I ask – if you don’t know who you are calling, how did you get my number?  The usual response is I was forwarded to this number by the receptionist/or automated menu options.  At that point, I provide my first name and say that I can’t be of further assistance.  Then I add that number to my list of do not answer list.

A caller states they are with a trade magazine and needs to do a survey to continue my subscription.  The caller then asks for my full name.  I usually reply since you called me to continue my subscription why don’t you tell me who you called and I will confirm if that is correct.  If there is a long pause then I hang up.  If the caller does state my full name then I confirm my identity and will continue the survey.  I will respond to size of the organization, and what my role is recommending products or technologies but I will not answer questions about specific network products that are used, operating systems we use or if we use a specific cloud service. 

A caller states they are looking to speak with a current employee within the organization.  Since I don’t know if that employee really wants to speak with the person on the line, I ask for that person’s phone number and state that I will give that person the message and he/she will call back.  If the caller persists in asking for the number I simply state we are not permitted to give out employee phone numbers.

In each of these scenarios I try to be helpful without revealing much information about the employees or the IT infrastructure of the organization.  Many people fall victim to social engineering attacks because they want to be helpful.  Basically the rule of thumb should be if you don’t know the person calling you should never reveal anything but the most common information.

Why Choose ASCERTIS Solutions

ASCERTIS Solutions can conduct a security assessment of a small business in a week and provide a roadmap for your company to implement a cyber defense strategy that fits your budget.  Trained security professionals can be hired on a part-time basis to fill the role of Chief Cyber Security Officer (CISO) to assure that your roadmap is implemented in a timely and cost-effective fashion. 

If interested, please contact [email protected].