Jamie Davis, Education Manager
Bank Employee: “Hello, XYZ Bank.”
Caller: “Good morning, can I speak with JoAnne in charge of IT?”
Bank Employee: “I’m sorry, she is out this week.”
Caller: “Well, maybe you can help me. I’ve known JoAnne for years. I even worked with her for a short time, years ago. I have started a new technology company and wanted to drop off some gift cards to Starbucks and tell her about my new company. I’ll be sure to drop by and give you a card for some coffee too. What was your name again?”
Bank Employee: “Thanks! It’s Joe. I stop by there every morning, so that would be awesome.”
Caller: “No problem Joe. I’m more than happy to help anyone JoAnne works with. Can you tell me something real quick before you pass me to JoAnne’s voicemail? Whom does your company use for IT support? I would love to do some research on them before I meet with JoAnne. Just want to get a feel on if I have a chance or not and how big that gift card needs to be (laughs jokingly).”
Bank Employee: “Sure, we use….”
Although your employee doesn’t know it, he or she may have just been part of a social engineering scheme. The caller may actually know JoAnne and intends on making a sales call or he might have called in five minutes ago and gotten JoAnne’s name from another employee. If the latter is true, he is now more than likely very close to using this information to his advantage at your bank. Not only does he know that JoAnne is the Administrator and is not currently at the bank, but he also knows the company that does IT support for your bank. He can now walk in and drop the right buzzwords to put all your employees at ease. When he approaches the CSR in the lobby with a request that JoAnne asked his company to come out and install a software upgrade, what will her response be? Did Joe even realize or follow up with JoAnne about the call he just had? Did he get the caller’s name or number and pass it along?
In today’s environment, you can come across as either paranoid or lax. Unfortunately, what was probably paranoia five or ten years ago is now a healthy respect for reality. In my time at Safe Systems, I have only been asked a handful of times to provide credentials or gain confirmation from the Administrator that I was there per the bank’s request. Though a well trained and lucky con can fool just about anyone, employees with good procedures in place and the appropriate training can increase your security and decrease a con’s chances of being successful.
Be sure your employees understand how the most common social engineering scams work. Train them on what information is appropriate to provide over the phone and what information only certain individuals should disseminate. The Administrator or manager should first confirm anyone who calls or approaches an employee about working on his or her computer. Access of suspicious contractors should be monitored at all times. The printer technician should not be given unmonitored access to equipment unless he has been there before or established the validity of his identification. I have been to some banks where everyone is accompanied when they are visiting the bank. This is possible in some circumstances but might not always fit your bank’s setup.
Though you cannot prepare your employees for every situation that could happen, you can set the appropriate rules in place to limit your risk. The more training and reminders employees receive, the more likely a targeted attack on your bank will not be successful.