• Choose a category
• All
• Classic-Fiction

Even when a company has an established procedure that the employees follow carefully for verifying callers, sophisticated attackers are still able to use a number of tricks to deceive their victims into believing they are who they claim to be. Even security conscious employees can be duped by methods such as the following.

THE MISLEADING CALLER ID

Anyone who has ever received a call on a cell phone has observed the feature known as caller ID—that familiar display showing the telephone number of the caller. In a business setting, it offers the advantage of allowing a worker to tell at a glance whether the call coming in is from a fellow employee or from outside the company.

Many years ago some ambitious phone phreakers introduced themselves to the wonders of caller ID before the phone company was even allowed to offer the service to the public. They had a great time freaking people out by answering the phone and greeting the caller by name before they said a word.

Just when you thought it was safe, the practice of verifying identity by trusting what you see—what appears on the caller ID display—is exactly what the attacker may be counting on.

Linda’s Phone Call

Day/Time: Tuesday, July 23, 3:12 P.M.

Place: The offices of the Finance Department, Starbeat Aviation

Linda Hill’s phone rang just as she was in the middle of writing a memo to her boss. She glanced at her caller ID, which showed that the call was from the corporate office in New York, but from someone named Victor Martin—not a name she recognized.

She thought of letting the call roll over to voice mail so she wouldn’t break the flow of thought on the memo. But curiosity got the better of her. She picked up the phone and the caller introduced himself and said he was from PR, and working on some material for the CEO. “He’s on his way to Boston for meetings with some of our bankers. He needs the top-line financials for the current quarter,” he said. “And one more thing. He also needs the financial projections on the Apache project,” Victor added, using the code name for a product that was to be one of the company’s major releases in the spring.

She asked for his email address, but he said he was having a problem receiving email that tech support was working on, so could she fax it instead? She said that would be fine, and he gave her the internal phone extension to his fax machine.

She sent the fax a few minutes later.

But Victor did not work for the PR department. In fact, he didn’t even work for the company.

Jack’s Story

Jack Dawkins had started his professional career at an early age as a pick-pocket working games at Yankee Stadium, on crowded subway platforms, and among the nighttime throng of Times Square tourists. He proved so nimble and artful that he could take a watch off a man’s wrist without his knowing. But in his awkward teenage years he had grown clumsy and been caught. In Juvenile Hall, Jack learned a new trade with a much lower risk of getting nabbed.

His current assignment called for him to get a company’s quarterly profit and loss statement and cash flow information, before the data was filed with the Securities and Exchange Commission (SEC) and made public. His client was a dentist who didn’t want to explain why he wanted the information. To Jack the man’s caution was laughable. He’d seen it all before—the guy probably had a gambling problem, or else an expensive girlfriend his wife hadn’t found out about yet. Or maybe he had just been bragging to his wife about how smart he was in the stock market; now he had lost a bundle and wanted to make a big investment on a sure thing by knowing which way the company’s stock price was going to go when they announced their quarterly results.

People are surprised to find out how little time it takes a thoughtful social engineer to figure out a way of handling a situation he’s never faced before. By the time Jack got home from his meeting with the dentist, he had already formed a plan. His friend Charles Bates