I had an odd experience yesterday. It is one that I have ever only just read about or saw in movies.
I was a target for Social Engineering. Yes, I feel dirty too. Fortunately my suspicious nature precluded me from following through, but I was alarmed at how easy and natural it would have been for me to provide the information that was requested.
The setup was simple, I received a call from an unknown number (this was the first clue that something wasn't right). The person on the line stated that she was 'Carolyn' from payroll (this was the second indication for me) and that there had been a 'glitch'. First off, I know of no one at my company named Carolyn. Add to that the fact that I am not the manager of our team. I'm not even the next lower rung. She followed up by saying that she was trying to get a hold of several people in dealing with the glitch. She named 2 people that she was interested in getting phone information for. Normally this request wouldn't raise too many eyebrows, however, my company maintains an internal directory for just such a thing. Now that my spider sense is riding the bellrope of WTF?! into a 9 star fire alarm of frenzy, I had a moment of clarity. I realized just how dangerous this scenario is. My natural predilection is to help in any way I can. After all, it is what I do on a daily basis. For someone unfamiliar with their company's personnel, it would be so simple to provide this information and think nothing more of it, but this simple request can do so much more. A telephone number can tell the requester where in the country the person lives. It also used to have the added benefit of narrowing to a specific region in that zone further reducing the possibilities of finding a location of that particular person. Sounds like a relatively harmless thing right? Well sure until you start looking at the huge list of missing persons all over the country.
In this case, I am pretty certain that the fisherman was a recruiter so the information could have been used for something relatively harmless. The fact is, there is no way of knowing. Sadly, I was so floored by my thought process at the time that I didn't do anything more than try to sound like a person who knew nothing and didn't have the information at hand, but I would have preferred to spar a bit, if you will, with the person on the line. I think it would have been entirely possible to blow over the house of cards they had built with their opening statements.
My final thoughts on the subject are these: Isn't it illegal to do something like this? If so, what are the ways I can combat this type of information gathering? And finally, If I find out who the person or persons are doing this, where do I go with this information? I don't have the answers, but I do have a question for you. Do you think you would be able to cut through the BS and determine that you were being scammed?
Stay vigilant with your information!
Knowledge is power.
Ransomware and the Internet of Things
2 hours ago