Christine was so excited to have landed the receptionist job with her employer. She had taken a 3-year absence from the labor force upon the birth of her first child and had spent over four months actively trying to find a job with a company which offered good benefits along with some flexibility in scheduling. While it seemed like a perfect job, the initial few days were overwhelming with getting to know the corporate culture along with policies and procedures. Due to a backlog in administrative work, her briefings were scheduled over the course of the first several weeks.
Within the first couple of days on the job, Christine decided to update her LinkedIn profile. She detailed the name of her employer, position and general duties. She was proud that she was now back in the workforce.
Christine’s profile immediately popped up on the screen of a team of hackers who were looking to penetrate this company. While they had already identified a few candidate insiders whom they considered targeting, Christine looked like a better choice. She was brand new to the company and undoubtedly was not yet familiar with all the company’s policies and procedures compared to other insider candidates who had been with the firm for several years. She was likely sitting at a desk somewhat isolated from any colleagues who she could readily consult for guidance. Furthermore, Christine was likely eager to please and less likely to question someone who appeared to be working within the firm’s administrative structure.
Upon her return to work the following Monday, a member of the hacker team called Christine’s extension. He utilized call spoofing to disguise the caller ID as if it were coming from the firm’s outsourced IT service department. When Christine answered the call, a gentleman identifying himself as “Will” from IT extended a warm welcome to Christine. Will understood that she had recently started with the firm and wanted to ensure that she was getting the appropriate support. The two of them chatted for a few minutes before Will advised that they had detected a problem with the build of her system. He was concerned that her system would crash if this problem was not addressed. He explained that with her assistance, he should be able to take care of the rebuild within 15 minutes.
Christine was immediately concerned that a system crash could mean considerable delay in accomplishing her other tasks. When asked what needed to be done, Will explained that he would be sending her an email with a link which would authorize him to enter the system to make the manual configurations. Christine immediately agreed and the two remained online throughout the procedure. Within a minute, Christine received the email and clicked on the link authorizing access. While Will maneuvered his way into the system, he distracted Christine with casual conversation. Within a few minutes, he had created a backdoor for the team to enter at a later date. He expressed his appreciation to Christine and wished her success with the new position. As she hung up the phone, Christine was so grateful that Will’s intervention had prevented a potential crash. Little did she know that her actions actually facilitated a breach which would cost her company $1.2 million dollars in stolen data, litigation fees and reputational damage.
This is a very simple, yet effective, technique being utilized to breach the security of all organizations, whether they be private companies, non-profit and/or academic. The technical term is “Vishing.” The target is approached by telephone by someone who appears to be legitimate – in this case IT support. Call spoofing disguises the identity of the caller and adds to greater credibility. After gaining some initial rapport, the caller advises of an impending problem and immediately offers a solution. Typically, the target acts upon emotions and immediately complies with the caller’s request. While this example highlighted its use against a receptionist, anyone within your organization could be targeted using this method. Would you have fallen victim?