Big and small businesses alike pour resources into fortifying their hardware and software systems, hoping to avoid malicious (and expensive) malware and virus attacks. Updating anti-virus software, mandating strong passwords and company-wide mobile device policies make it more difficult for hackers to get what they want; maybe too difficult because recently, they’re taking a more direct (and often easier) route. The telephone. You may ask yourself can someone hack my phone by texting me? And often the answer is yes. Similar questions have been asked about outbound phone calls. Outbound social engineering calls are working, and for as long as they do, you can expect the number of outbound hacker calls to rise.
“Susan, this is Keith with IT. I’m seeing your computer is infected with malware and it’s sending out viruses. I need to fix this for you. Go to this website (like JoinMe or any other shared access service website) so I can get access and remove the virus.”
Hackers gaining access to private, confidential company, customer and employee data is as simple as that. Susan gives access no questions asked and the hacker installs a virus, like keylogging malware, in real time. Keylogging malware tracks every keystroke and reports the data back to the hacker, allowing him or her to watch your employee’s fingers’ every move. Websites, internal documents, files, passwords, you name it. Despite the latest anti-virus software and other IT security measures in place, it was Susan who opened the door and laid out the red carpet for the hacker.
The company (and Susan) have no idea what occurred until the real person or IT department notices the problem. By that time, serious damage is done.
Familiarity and unfamiliarity works in hackers’ favor consistently across large and small businesses. For bigger companies with hundreds or thousands of employees, it’s impossible to know everyone working in the IT department. Keith with IT is legit as far as Susan knows. “Keith” was able to call Susan by name after a quick search on LinkedIn or just the web.
It doesn’t raise an eyebrow even when the call doesn’t come from an inside extension. The phone hacker explains he’s with any number of large software companies that the company could be using or with an outsourced IT firm. Deductive reasoning to match the industry to the software the company is likely to use is pretty simple. For example, an ad agency probably uses Adobe’s Creative Suite. Human resources firms use PeopleSoft, etc.
Always, always insist employees hang up and dial their in-house IT department back to verify, using the real extension for IT. For outsourced IT services or technology consultants, staff should call that firm back directly.
Smaller companies where everyone knows your name aren’t immune to outbound call hackers either. Susan, one of a staff of 12, gets a call from Keith. Now he’s with Apple or Microsoft and he’s seeing your systems are infected with malware. Susan assumes the computer giants are looking out for her and she readily gives access.
Apple, Microsoft, software providers and any other similar vendors DO NOT call customers asking for system access. NEVER. PERIOD.
Hackers are capitalizing on human nature-the need to please and be helpful. It’s far easier to manipulate people than it is technology. Put as much time and effort into educating your employees on phone hackers as you do into securing your technology systems.