ICFE eNEWS #18-18 - August 2018
Social Engineering - Exploiting the
By Yan Ross, Director of Special Projects, ICFE
With thanks and acknowledgement for the good works of the
Herjavec Group on cybersecurity challenges, we report this week
on a verified case of social engineering. The incident was
carried out on a "white hat" basis against a leading cell phone
company. The video of the event is posted here.
than 2 minutes into a phone call to customer service, the hacker
is able to secure sensitive information about the real account
holder. Even worse, the hacker adds herself and another family
member to the authorized user profile on the account.
Note the posted comment from the real owner of the phone
account: "It's amazing how quickly you can 'hack' into someone's
accounts without touching code. No amount of technology is going
to stop this."
It's worth noting the techniques of adding
urgency to the call: they include time constraints on the
caller's end, and the emotionally charged recording of a crying
baby. It's all calculated to distract the customer service
representative from the unauthorized nature of the call and
emphasize how much the caller needs help.
identity theft and cybersecurity side, several questions arise,
• What training did (or did not) the customer
service representative receive in order to avoid falling for
• What cybersecurity or programming
defense could be used to intervene?
• What other activities
or industries are subject to this same type of social
• What training programs are available to help
employees avoid this scam?
From the individual company
perspective, several more questions arise, including:
training and educational resources do we provide to our
• How do we coordinate between the IT and security
departments of our organization?
• How often do we conduct
training exercises for employees who have access to the company
servers and/or receive outside calls and visits?
outside resources do we call upon to assist in setting up
defenses against this type of exploit?
Any responses that
rely on "It can't happen here," or "Our IT office has that under
control" are simply inadequate. Statistics from various studies
have consistently shown that the majority of data breaches are
rooted in human vulnerabilities and human failure to institute
and enforce appropriate training and compliance procedures.
The takeaway: It's incumbent upon all elements of the
organization to participate actively in defending against
identity theft and cyber attacks. Human resources, for instance,
can't just rely on the IT office to solve the problem,
especially when social engineering is the method and no code or
computer programs are involved in the exploit.
baseline training program, with frequent updates, can provide a
defense adequate to avoid social engineering and individual
manipulation scams like this one.
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.
The ICFE's Certified Identity
Theft Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.
The Textbook and Desk
Reference edition of the course book is also available online. Bulk
pricing and discounts for veterans and students available. Inquire
eNEWS is available FREE upon request by visiting our Web site and
filling out the contact
selecting "Yes" for "Add to Mailing List.
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe
Also, visit the ICFE's new Web site: StudentDebtHelp.org
Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)
About the ICFE:
The Institute of Consumer Financial Education (ICFE) was founded in 1982 by the late Loren Dunton (creator of the Certified Financial Planner (CFP) designation). The ICFE is dedicated to helping consumers of all ages to improve their spending, increase savings and use credit more wisely.
The ICFE is an award winning, nonprofit, consumer education organization that has helped millions of people through its education programs and Resources. It publishes the Do-It-Yourself Credit File correction Guide, which is updated annually. The ICFE has distributed over one million Credit/Debit Card Warning Labels and Credit/Debit Card Sleeves world wide.
The ICFE became an official partner with the Department of Defense/Financial Readiness Campaign in June of 2004.The ICFE was an active partner in the California Student Debt Resource Awareness Project (CASDRAP) which resulted in a new web site: (studentdebthelp.org). CASDRAP disbanded in 2010, shortly after the web site project was completed. In 2011 the ICFE assumed the single sponsorship of the (studentdebthelp.org) web site and is now responsible for its content and operation.
The ICFE is also an on-line help for consumers who spend too much. ICFE's spending help was featured in PARADE Magazine in the Intelligence Report section. The money helps and tips are from the ICFE's Money Instruction Book, our course in personal finance.
Visit the ICFE's other web sites at: www.financial-education-icfe.org and studentdebthelp.org. Both sites helps consumers and students with mending spending, learning about the proper use of credit, budget and expense guidelines, how to set up and implement a spending-plan and also how to access financial education courses and how to teach children about money. Other ICFE services include: Ask Mr. G, a free eNews, and an online resource center for students, parents and educators, plus financial education learning tools and a book store.