Telephones are unsecured, direct access conduits to your users and can traverse passwords, encryption, and any other fancy technical protections.

Many people are confident they won’t fall for the “you’ve just won a million dollars, give me your bank account information so we can transfer the money!!” type of scheme. If it’s too good to be true (as they say) it usually is.

Put people on the defensive and these tricks work a little better.

The phone rings, you pick it up, and the caller identifies himself as an officer of the court. He says you failed to report for jury duty and that a warrant is out for your arrest. You say you never received a notice. To clear it up, the caller says he’ll need some information for “verification purposes”-your birth date, social security number, maybe even a credit card number.

Social engineering works because people are the weakest link in security. Training to protect against these attacks in a work environment are difficult, especially to positions that require many phone calls. Employees caught off guard, stressed, or disgruntled are particularly vulnerable.

This entry was posted on Tuesday, July 1st, 2008 at 5:08 am by Anil Polat and is filed under hacking. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.