ICFE eNEWS #18-18 - September 13th 2018
Social Engineering - Exploiting the
By Yan Ross, Director of Special Projects, ICFE
With thanks and acknowledgement for the good works of the
Herjavec Group on cybersecurity challenges, we report this week
on a verified case of social engineering. The incident was
carried out on a "white hat" basis against a leading cell phone
company. The video of the event is posted here.
than 2 minutes into a phone call to customer service, the hacker
is able to secure sensitive information about the real account
holder. Even worse, the hacker adds herself and another family
member to the authorized user profile on the account.
Note the posted comment from the real owner of the phone
account: "It's amazing how quickly you can 'hack' into someone's
accounts without touching code. No amount of technology is going
to stop this."
It's worth noting the techniques of adding
urgency to the call: they include time constraints on the
caller's end, and the emotionally charged recording of a crying
baby. It's all calculated to distract the customer service
representative from the unauthorized nature of the call and
emphasize how much the caller needs help.
identity theft and cybersecurity side, several questions arise,
• What training did (or did not) the customer
service representative receive in order to avoid falling for
• What cybersecurity or programming
defense could be used to intervene?
• What other activities
or industries are subject to this same type of social
• What training programs are available to help
employees avoid this scam?
From the individual company
perspective, several more questions arise, including:
training and educational resources do we provide to our
• How do we coordinate between the IT and security
departments of our organization?
• How often do we conduct
training exercises for employees who have access to the company
servers and/or receive outside calls and visits?
outside resources do we call upon to assist in setting up
defenses against this type of exploit?
Any responses that
rely on "It can't happen here," or "Our IT office has that under
control" are simply inadequate. Statistics from various studies
have consistently shown that the majority of data breaches are
rooted in human vulnerabilities and human failure to institute
and enforce appropriate training and compliance procedures.
The takeaway: It's incumbent upon all elements of the
organization to participate actively in defending against
identity theft and cyber attacks. Human resources, for instance,
can't just rely on the IT office to solve the problem,
especially when social engineering is the method and no code or
computer programs are involved in the exploit.
baseline training program, with frequent updates, can provide a
defense adequate to avoid social engineering and individual
manipulation scams like this one.
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.
The ICFE's Certified Identity
Theft Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.
The Textbook and Desk
Reference edition of the course book is also available online. Bulk
pricing and discounts for veterans and students available. Inquire
eNEWS is available FREE upon request by visiting our Web site and
filling out the contact
selecting "Yes" for "Add to Mailing List.
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe
Also, visit the ICFE's new Web site: StudentDebtHelp.org
Paul S. Richard
President - Executive Director
Institute of Consumer Financial Education (ICFE)
About the ICFE:
The Institute of Consumer Financial Education (ICFE) was founded in 1982 by
the late Loren Dunton (creator of the Certified Financial Planner (CFP)
designation and founder of the College for Financial Planning in Denver, CO.)
The ICFE is dedicated to helping consumers of all ages to improve their spending
practices, increase savings and use credit more wisely.
The ICFE is an
award winning, nonprofit, consumer education organization that has helped
millions of people through its financial continuing education courses programs
and resources. In addition to eight Certification courses covering identity
theft, credit files, credit repair and credit scoring, among others, it also
publishes the Do-It-Yourself Credit File correction Guide, which is updated
annually. The ICFE has distributed over one million Credit/Debit Card Warning
Labels and Credit/Debit Card Sleeves world wide.
The ICFE is a partner
with the national Jump$tart Coalition for Financial Literacy and the California
Jump$tart chapter. The ICFE staff is also active with San Diego Saves and
Military Saves, both offshoots of America Saves.
The ICFE is also an
on-line help for consumers who spend too much. ICFE's spending help was featured
in PARADE Magazine in the Intelligence Report section. The money helps and tips
are from the ICFE's Money Instruction Book, our course in personal finance.
The ICFE helps consumers and students with mending spending, learning about
the proper use of credit, budget and expense guidelines, how to set up and
implement a spending-plan and also how to access financial education courses and
how to teach children about money. Other ICFE services include: Ask Mr. G
library, a free eNews service, and an online resource center for students,
parents and educators, plus financial education learning tools in the ICFE Book