In our last security blog, we introduced you to a new topic – social engineering. It’s a method scammers use to research a potential target, and it’s costing companies billions. No exaggeration! Last year, SnapChat and Seagate alone lost $21 billion.
Clearly, social engineering is serious stuff… and we don’t want you to fall prey to it!
So, we’d like dive a little deeper. Tech guru and CEO of Stickley on Security, Jim Stickley, explains more about a different form of social engineering – phone pretexting.
Other than email, phone calls are the most common way criminals target employees. Phone pretexting is when a criminal lies in order to obtain another person’s privileged or confidential information via phone conversations. Another common social engineering tactic over the phone is to impersonate a technical support representative. The objective is to install malware by getting the employee to install it themselves or have the employee give remote control of their PC to the scammer so the criminal can install the malware. Keep in mind that all of the major breaches that occurred in the past few years started with a single piece of malware.
A common form of phone pretexting attacks against financial institutions is when a criminal contacts the call center and attempts to impersonate another individual in an effort to gain access to the owner's account. Because of the great many breaches in the past few years, the attacker may know some of the potential victim’s private information such as name, address, and possibly even birthday and account number.
Controls have been put into place to ensure that employees conduct proper validation when speaking with any customer in the form of challenge questions. These questions have been specifically designed to thwart criminals from successfully impersonating customers. However, criminals can often be very convincing and attempt to use the employee's desire to offer quality customer service against the attacker's pretending to be an upset, concerned or disgruntled customer.
You must always remember that while customer service is important, the security of the customer’s information must always come first. If a caller cannot answer the challenge questions properly, then you must always assume they are a potential threat. When in doubt, escalate the call to a manager. If that is not an option, notify the caller that you are unable to validate them at this time and therefore will not be able to provide them any information. Be sure you document the incident and notify management.
Remember, criminals are skilled at attempting to manipulate the situation and may try different tactics including yelling, crying, and even trying to be your friend. They can be young, old, male, or female. You must always remember that the best customer service is keeping customer confidential information secure.
Because criminals know that financial institution employees are trained to avoid giving out confidential information without verification first, they may call several times. Each time they do, they are attempting to gather small bits of basic information. In many cases, they will attempt to avoid the verification question completely by simply acting like their question has nothing to do with security and will only take a second. This tactic allows them to learn many things about an account and then later use that information to appear more convincing when attempting to gain access to confidential information.
Remember that before you provide any information or answer any question no matter how basic about an account, the caller must always properly answer the validation questions first.
How DuGood Can Help
At our credit union, we want you to FEEL GOOD knowing that your money and your personal information are safe and secure. Interested in reading more blogs like this one? Be sure to visit our Security Center. You’ll find all kinds of helpful information there to help you stay ahead of the scammers.