Would you give your personal details out over the phone? Of course not! But what if the call was from your utility or phone provider and needed to discuss your account?
Social Engineering, the art of obtaining details, maybe in part, from a target subject in order to impersonate or gain access to critical information facilitating fraudulent activity.
The stuff of cybercrime books and films? Think again. Let’s run through an example.
Your phone rings one evening from a ‘withheld’ or ‘unknown’ number.
Good evening Sir/Madam, this is Chris from , may I confirm your details before we proceed?
In the UK at least, the above question is fairly common if you receive a phone call from a utility or phone provider. As per the Data Protection Act the company in question needs to be sure they are talking to the correct person in order to discuss account information.
Flip this around though, IF this person is not from the company in question and they are attempting to gain further details from you, how can you confirm they are who they say they are? It is surprisingly trivial to gain the information needed in order to place this phone call to you. They need 2 pieces of information:
We’ll get to how anyone can get this information later. Suffice to say, most people would happily give the information only without a second thought.
May I take your date of birth?
Fairly harmless you think. No problem.
Can you confirm your security password?
Again, many companies ask you to provide some default account password precisely to facilitate this phone authentication. Usually it’s from a set of predefined questions such as “Place of birth”, or “Mother’s maiden name”. The answer is usually something that can be reverse engineered quite easily. i.e. if the reply is ‘Potter’ it’s fairly obvious which question was answered versus a reply of ‘Bristol’.
So suddenly, without much effort, a potential fraudster has additional information about you that they would not otherwise have had. Your date of birth and your security question answer. Not bad for 20 seconds work?
With the above in mind and the fact you are now ‘authenticated’, it’s not hard to imagine that your credit card or bank details could be obtained at least in part. A new deal perhaps? or some arrears on your account that needs to be cleared? A sweeping statement perhaps but I’m sure everyone reading this (with the best thoughts at heart) knows at least one person who would fall for this.
How could the fraudster get hold of your phone number and provider name? Well the answer is a load of rubbish…. literally. Think about how much paper you throw away. Do you have a shredder? Do you religiously shred everything you receive?
Of course shredding paper won’t make you secure. Loose lips could cost you aswell. Have you ever talked about utility suppliers in passing over a glass of wine or a beer? Ever given someone your phone number? Ever left a business card lying around by mistake?
Far from being a scaremongering first post to this site, I hope that it brings just a little bit of awareness into our lives. Information matters, and it’s banded around quite freely.
