cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Incremental social engineering attack?

OK, here's a weird one.

 

Attacker calls up customer service and "corrects" a single character in the spelling of the account name.  Then does it again.  And again ... until finally the account is now in the attacker's name ...

 

Now how would you train people to detect or be on guard against that?


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
3 Replies
denbesten
Community Champion

By having a system that does not depend solely on the spidey-sense of the front line personnel, such as:

 

  1. A validation system that keeps the attacker away from my account until they have proven something.
  2. A CRM (Customer Relationship Manager) that makes the most recent changes to an account visible to the phone jockey.
  3. A fraud unit that watches the frequency of events (charges, calls, changes, atypical balances, etc.) to a given account.
  4. A feedback system, whereby I receive alerts regarding changes to my account.

 

 

Shannon
Community Champion

 

This brings to mind something that occurred in 2017, the other way around. While in KSA, I received an email from a bank with which I had an account in my home country --- India --- thanking me for visiting the branch to meet the new manager the previous day.

 

Far from being out of the area the branch is located in, I wasn't even in country at the time!

 

After ensuring that the sender address was indeed that of the bank, I contacted them to alert them to this, and asked for an investigation & explanation. When they responded stating that it was due to a new staff member sending out the email erroneously, I made a complaint on the site, but decided to let it pass after they called me & apologized.

 

However, that wasn't the end of it --- shortly after, I received another similar email, followed by the same explanation: employee error! This is a major bank in India, so I was dismayed that something like this could happen. (I closed my account after this)

 

Had they claimed that  they were gauging customer awareness, I might have actually appreciated it...  Man Wink

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Caute_cautim
Community Champion

Interesting study: 

 

https://www.csoonline.com/article/2125176/social-engineering-stories.html

 

 

Regards

 

Caute_cautim