The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.

While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.

Social engineering is the act of obtaining confidential information through the “art of deception”.  Most people have heard of or experienced phishing attacks through email.  The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.

Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations.  With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information.    The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons.  It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.

Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.

A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology.   Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies.    While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner

Similar scams are being perpetrated via the telephone and are called vishing attacks.  These scams are aimed at getting individuals to give up sensitive information such as credit card data, banking credentials and or some other sensitive information.    Many individuals have come to accept ANI or caller id as verification of who is calling.   Scammers know this and are using the ability to manipulate caller id information to defraud unsuspecting individuals.

Anyone can manipulate caller id information, called ANI spoofing and it’s as simple as purchasing an online service.  The online services will enable the caller to change the number displayed on a caller id, change the voice from male to female or reverse, and record everything that was said.   A tool like this may be fun for the average prankster but could be costly to those exposed to a criminal intent on defrauding individuals.  Here’s how a typical scam might work.

An organized crime group sets up its own server to manipulate ANI.  The group utilizes a predetermined set of phone numbers to call and dials them in mass.  This is called war dialing.  As the call rings on the receiving end the caller id displays the name of the ‘institution’ the caller pretends to be.   A message is played which indicates that the receiving indiviudal has a problem with an account and must dial a particular phone number to resolve the issue.  When the caller makes the call they are prompted by a voice activated agent to enter sensitive information, such as banking info, credit card data, address, social security numbers and more.  What the unsupsecting individual has not determined is that the call was a scam and they have just provided a thief access to a credit card, online bank account, or worse provided enough information to be the victim of identity theft.

Since the beginning of time there have been frauds, today this behavior remains.  What has changed are the methods upon which a criminal can defraud the unsuspecting individual or institution.   Technology has been a catalyst in enabling many ongoing exloits.   In order to protect oneself  follow a few simple rules that you normally follow in everyday life.

• Know who you are dealing with.  Just because the phone says Bank of  Your Choice don’t assume it is.
• Your bank knows who you are therefore for them to ask you to provide sensitive information such as a social security number is a big red flag.  If it is your institution and they are using such information to validate who you are, get a new banker.
• Be on guard, if it sounds too good to be true, it is.

Know now that there exist scammers who launch social engineering attacks via vishing scams.  Be wary of what your caller id tells you.  If you find you can not resist believing that little display, put a piece of duct tape over it!