Social Engineering Attacks

Counter Social Engineering Attacks
Social engineering involves using techniques like vishing, phishing and pretexting to manipulate an enterprise’s customer-facing employees. 

Pretexting is used by private investigators and others to obtain telephone records, utility records, banking records and other information (directly from company service representatives), which can then be used to establish even greater legitimacy under tougher questioning from a manager (e.g. to make account changes, get specific balances, etc.) Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, contractors or insurance investigators — any individual who could have perceived authority or right-to-know in the mind of the targeted victim. 

No competent criminal would allow the display of his or her true telephone number to the targeted victim, so in many cases, the first step a perpetrator takes is to use Caller ID spoofing to create the “trust” necessary to socially engineer an enterprise’s employee.  As is often the case with social engineering crimes, all that is needed is a fake ID (spoofed Caller ID), a voice that sounds authoritative, an earnest tone, and an ability to think on one’s feet.

Fraud is perpetrated by using Caller ID spoofing to enable the false trust necessary to commit a pretexting or social engineering enabled crime.

Use Case with TrustID:  A perpetrator telephonically calls the systems administrator for XYZ Bank. The calling number is falsely showing one of XYZ Bank’s trusted vendors: a known consulting company that the bank is using for a security audit. The perpetrator most likely uncovered the security company’s name from a press release or social networking web site. The Caller ID, showing the “security auditing company” as the caller, looks credible to XYZ Bank’s system admin. The perpetrator asks the system admin to change a critical root password to a banking system (or some other necessary step to open access for the criminal.) The system admin agrees and the fraudster moves on to profit from the crime. 

With the TrustID solution installed at XYZ Bank, the system admin’s telephone could emit a special ring tone indicating the caller is spoofing their Caller ID, and the Caller ID display would read “Spoofed.” This heightened security notification, along with the employee’s training, would have prevented the fraudster from getting what he wanted, saved employee time, preserved the bank’s brand and reduced any financial loss for third parties and the bank.