There’s something so satisfying about getting an email that was clearly lovingly crafted with me in mind as the sole recipient. “Dear Sir/Madam!” Surely this isn’t spam. They must be a legitimate business contact, how else would they have known my preferred greeting was Sir-slash-Madam? If all phishing and fraudulent emails were this poorly done, it would indubitably be easier to tell the real from the fake. Sadly, they don’t all share this obvious level of quality.
Recently I answered a call at the office, took a look at the caller ID and didn’t recognize the number. That wasn’t strange in and of itself, since I’m a point of contact on several phone lines it isn’t uncommon for me to see numbers I’m unfamiliar with. When I picked up the phone and glanced at the screen I was surprised to see as many numbers as I did, they showed up almost separately but in a very long string of text.
I barely had time to thank them for calling and state my name before a woman yelled at me. Yelled. Actively hostile, clearly trying to convey that whatever she was about to tell me was urgent. She gave me her first name, but didn’t tell me where she was calling from. She then proceeded to tell me that she was calling regarding my company’s printer and that she needed the serial number and several other pieces of what I would consider to be sensitive information due to an emergency she had been contacted about by someone at my company.
Unfortunately for her, she didn’t realize I would have been the most likely candidate to report an “emergency” or the need for service on a machine so I was already suspicious. I asked politely what company she was calling from and she would only answer “Your printer company!” Sorry, that’s not good enough for me. Not to mention if you really were calling from there, you would most likely show up on my caller ID. Still, I asked her to clarify what company that was – on the off chance this was a legitimate issue and I was genuinely just unaware of it.
The situation seemed to be escalating and her response to my second question was extremely confrontational and given with a raised voice. “Ma’am, it’s the number on the front of the machine. Give me that number.” Though I was taken aback by her rudeness, I remained calm and politely informed her that while I was aware of what a serial number was and of its location on the device in question, I would be unable to provide her with any information regarding the machine without a clear answer as to where she was calling from, the issue that had been reported and who had reported it. She hung up on me.
My next step was to report the call to our Senior Security Analyst and a coworker of mine at ADNET. As a Certified Ethical Hacker (CEH), they were thrilled that I had not given the woman any information and asked me to let them know if we got any more suspicious calls. We did get several from different numbers and with slightly varied approaches, but I asked them all the same questions…and they all hung up on me.
According to them, being on a main phone line made me a prime target for this type of phishing scam. “Typically, as a social engineer, we specifically target company receptionists and/or administrative assistants as we know they are the keys to the kingdom: they usually have the most amount of communal information about people, devices, locations, etc. They are a goldmine of information.”
You can’t feel guilty asking someone where they’re calling from. If they’re a legitimate business, they EXPECT to give you those answers and are prepared for your questions. They want you to feel comfortable having a conversation with them and to feel like you’re doing it safely. If you got a call on your cellphone from a number you didn’t recognize, demanding you give them your online banking info – would you do it? Probably not. At the very least you would hesitate and do some digging. Any suspicious call, email, fax or text deserves that same courtesy.
Once you give away information, you can never really get it back. You’re always better off to be sure of what you’re doing before you actually proceed and put yourself or your company at risk.
A few tips on keeping yourself (and your company’s information!) safe:
- Before clicking on any link in an email, hover over it to make sure that it’s truly going to send to where it claims to send you.
- Don’t assume that just because a caller knows the name of 1 or 2 people in the company that gives them the right to insider information. It’s very easy to find out who company employees are via LinkedIn, Facebook and a barrage of other social media outlets.
- If you’re unsure if it’s a legitimate phone call or email message, it’s your responsibility to call back and verify prior to providing any information.
