Train your users to beat phone scams

As I landed in Dallas returning from my recent visit to China, I picked up my cellphone voicemails. One of them was from my bank, telling me my personal debit card was frozen and would have to be unlocked.

I knew I should’ve let my bank and credit card companies know I was traveling, but I hadn’t, mostly because I use a dedicated business card when traveling overseas on business. Still, I wondered why this particular credit card was locked. Not only had I not used it on the trip, I hadn’t used it in more than a year, and I have multiple credit card security monitoring services that inform me about unusual activity.

I sighed and tried to follow the instructions in the voicemail, but I didn’t have time. I had to hit U.S. customs and catch my next flight home. I’d take care of the issue later.

When I got home I relistened to the voicemail message to get the bank’s customer service number. But the voicemail message didn’t leave one — the only instruction was to “dial 1 to unlock the card.” I hung up and called the number on the back of my debit card.

To report a stolen card I needed to enter the credit card number, the last four digits of my Social Security number, and some other information I can’t remember now. I got a human and told her about my situation. She asked, “Did they call you?” I said yes. Then she asked if they requested that I hit a button to unlock my card. I said yes again.

Then she said: “We don’t do that. That was a scam!”

I was floored. Here I am, an overly suspicious computer security guy, but I’m pretty sure if the scammer had reached me directly instead of my voicemail, I would have readily given all the information I was asked for. I was learning about yet another scam that the world needed to know about.

The phone scam epidemic

I hear from a lot of readers these days about phone scams. Sometime, it’s the tech support scam, where fake reps tell people that they’re calling on behalf of Microsoft or Apple and have detected a computer virus on their computer. Many victims give the caller their credit card information — and helpfully install malware on their system.

In another case, a friend reported that her father was scammed out of thousands of dollars by someone who pretended to be his grandson and claimed to have been arrested — and needed emergency money to get bailed out. “Don’t let mom and dad know,” he insisted.

Others I know have been called by the IRS and told they are going to jail immediately unless they pay a fine for “tax fraud.” This last one is particularly telling, because it’s both an indictment of our tax system and an indication of the guilt some taxpayers feel. Even if you’re an honest taxpayer, the threat of the IRS sending you to jail is a powerful motivator.

Business phone scams are common as well. When I was a full-time penetration tester, one of my favorite social engineering scams was to call someone and tell them I was working for the IT security department. I would say that we were doing “password social engineering tests” for the company, which we were, then ask them for their password.

How often did they give me, a complete stranger, their password? Every time.

Some of the most infamous hacks, including of antihacking companies, began with someone calling and claiming that the big boss was out of the country speaking at a big conference and needed an email password reset immediately. One call and the attacker steals the crown jewels of the company, to the great embarrassment of all.

Companies of all sizes have been scammed into making fraudulent bank transfers. Typically, banks won’t cover the losses for these mistakes. Another popular scam is the fake overdue invoice. The fake invoice can be either from obscure or common items — say, printer ink cartridges for the latter.

Inoculate users against scams

Clearly, your user training needs to cover phone scams.

My current employer was getting hit by the “boss needs his password reset” scam for nearly a decade. Although it wasn’t often successful, it worked enough that we wanted to stop it. In Phase 1 of the project we examined how often it happened and how often it worked. In Phase 2, we provided user training, and our random testing of employees over the next year showed that it worked. In our tests, we couldn’t get a single employee to reset the password of another employee, even if pressured by the caller.

In Phase 3 we made it impossible for one employee to reset or ask to reset another employee’s password without passing that call to top-tier IT security support. We also gave any employee calling three different ways to reset their own password if they knew one piece of private information about themselves and had another authentication factor available (like an employee badge or smartcard).

In the last phase — this is what everyone needs to do — we did away with passwords. We went with several two-factor options, none of which was a simple name and password. The side effect of this policy and processes is that employees can’t be scammed out of a common password that they shared between an external site and their company network.

You can create your own antiscam training programs or let another company do it for you. One of my favorite antisocial engineering training companies, Knowbe4, has included phone scamming in its user security training for quite a while. Here’s an interesting blog post from Knowbe4 on a recent phone scam telling you to pay a fine or face arrest.

If you want to create your own training program, a simple Internet search will turn up lots more examples. Nearly every impacted vendor has information on related scams and how to avoid them. Some examples: Microsoft describes how to avoid tech support scams, for instance, while SunTrust and Scamguard cover bank card fraud.

On a personal level, credit and security monitoring services can help, but for businesses, only solid, specific user training can have any real impact. No matter what you do, make sure your antisocial engineering training includes phone scam awareness and guidance.