As a call center manager, I'm worried that our agents could be duped by social engineering attacks like GoDaddy...
was recently. We just don't have the budget for security training for our agents, but what can we emphasize internally to identify phone phishing?
The social engineering scam on GoDaddy was part of a multistep attack to steal Naoki Hiroshima's valuable @N Twitter handle. The attacker started by calling the provider of Hiroshima's personal domain name (GoDaddy) and, using information he had collected prior, tricked the employee into redirecting the target's emails to the attacker. While the attacker didn't have all of the data needed to prove he or she was the legitimate account holder, the support person allowed the attacker to guess some of the information and was duped into believing the hacker. Once the email was redirected, the attacker used a password reset to gain access to Twitter and other accounts which would be used as part of the extortion.
The method the attacker used with the GoDaddy employee is called pretexting. Pretexting received a lot of attention when a corporate investigation at Hewlett-Packard Co. went awry in 2006. CNN offered a number of tips following the investigation that are still applicable today and can also protect a call center employee from being duped.
Perhaps the easiest additional control enterprises can put in place to limit access to an account would be to require a password from the customer prior to making any account changes. Employees should also be instructed to not give out any information (including not telling callers what was wrong with the requested data). Properly training call center employees is critical. While it may be costly, this could pale in comparison to the potential expense of lost customers or negative press.
Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your question now via email! (All questions are anonymous.)
Dig Deeper on Security Awareness Training and Internal Threats
Related Q&A from Nick Lewis
Vonteera adware has the ability to disable antimalware software on endpoint devices. Expert Nick Lewis explains how enterprises can prevent this ...continue reading
ModPOS, a new POS malware, compromised millions of credit card accounts in 2015. Expert Nick Lewis explains how cybercriminals use this malware and ...continue reading
Amex cards have been discovered to be vulnerable to credit card hacking. Expert Nick Lewis explains how this happens, and what can be done about Chip...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.