Who Is On The Phone?
When I was in college, I remember in my general psychology class, studying an idea that people are basically good. I believe this was Carl Rogers but I do not honestly remember. At that time, I had a hard time with this concept. If, in general, we agree that we should respect our parents, do not murder, do not sleep around, do not steal, do not lie, do not be envious of others, then why is it that mankind tends to fail more often than succeed at these? After all who has not done some of these things at one time or another? How often do we excuse ourselves of these transgressions, but find fault in others who have failed them as well?
From my experiences, especially in security, I tend not to see our human nature in such an optimistic light. I tend to believe that when push comes to shove, human nature will look out for number one over looking out for others. Sure, there may be exceptions to this, but in general this is the behavior I have observe more often than not.
If this is sounding harsh or you think I am over reacting, I just achieved my goal. I have your attention now. I am not as over reacting as this start of this might seem, but if you do not look carefully at some events, you may become a statistic. Dataflog reported that in 2017 there was a 79% success rate in social engineering attacks. It also reported that there was about 83%, of all companies looked at, that had experienced phishing attacks. This report also showed that 49% experienced SMS and voice phishing. (https://datafloq.com/read/social-engineering-attacks-numbers-cost/6068) Just a couple of years ago there was a large number of arrests in India for social engineering calls to the U.S. and Canada. (https://securityboulevard.com/2018/12/126-arrests-the-emergence-of-indias-cyber-crime-detectives-fighting-call-center-scams/) At the levels these events occur, and the number of people involved, does it look like humans are basically good? After all is there ever a time stealing is a good thing?
Social Engineering is a big business, costing consumers lots of money each year. The only way to reduce this is by spending more time educating people on how to spot these bad actors and how to walk away before they become a victim. The first rule is simple: banks, credit cards, Apple, ISPs, and other businesses that have access to part of your finances will not send an E-Mail, or call you the phone, just to say your account is locked and you need to sign in to unlock it. Ignore these calls and E-Mails. The new approach I have been seeing more and more of, is a Robo call that states your Windows license is out of date, or the business you purchased your security software is closed and they want to get you a refund. You are asked to press 1 to talk to someone about the problem. If you get this message just hang up do not waste your time. Also, the IRS will never call you for back taxes or have the police call you so do not talk to these people either.
If a person should get you on the phone, ask specific questions of the person. For example, if I get a call about my Windows license the first question I ask is “Are you from Microsoft?”. Many times I will be corrected and told they are from Windows. If this is said hang up, only Microsoft has Windows if they are not going to say they are from Microsoft they just confirmed they are a bad actor of some type. Sometimes I will be told yes, it is Microsoft. Since I always check my caller ID the phone number is never from Microsoft so I ask about why the caller ID did not show Microsoft. With these questions the person on the other end of the line may hang up. If they don’t and continue to insist, they are from Microsoft I ask for a phone number that I can call back on. If they give me a number it has never been a real number, but it gives me a way to get off the phone. The important thing is that I play this game because I am following good security practices and I hope that the person on the other end is paying attention. I am always hoping that the caller may one day figure out what they are doing is wrong and they will quit. I know this may sound odd, but I see my job as planting the seed, I cannot grow or harvest that seed but I hope that one day that will happen.
Another social engineering attack I have started seeing again is someone calling to be my grandson or granddaughter. This very funny since I have no grandchildren. However, from what I have been reading this is a very common call especially for the older generation. I have also read many stories on high losses to this attack vector. This is another time where someone is on the phone, so spent time verifying the caller. Ask the caller specific questions such as what is my favorite color. These questions show you are verifying information you are given.
Another way to identify these social engineers, is if they ask you to purchase gift cards. Understand, if you are being asked to get a gift card, there is no way that is a real business. WALK A WAY. Never buy a gift card just to follow instructions of someone on the phone.
Keep in mind these social engineers will always want to do something right now. If you ask them to wait a couple of days, they will push you not to wait. This is another key indicator that this is not real, but a bad actor. In short, if you are not sure just hang up and end the call.
My work in security has shown me that I cannot take people I do not know at face value. I am constantly reminded that many people are out there trying to steal if they can get away with it. As much as I would like to believe that people are basically good; the actions I see, from people, make be believe that many people look out for themselves first and I cannot see how that is good in any form.
In short, if something seems out of place, it most likely is. There is nothing wrong with trying to verify anything someone tells you on the phone. Most security expects will tell you if a business calls out of the blue it is best not to say anything to the caller; until you verify that the call is from the business they claim to be. The best way to do this is get a phone number, use a reverse phone number look up to see if the number you were given is from that business. Then and only they call the number back. In any other case forget the call ever happened. Doing these things will help to keep you from becoming another statistic.