If Called, Don’t Answer

No, I’m not suggesting that you don’t answer your phone. Just be careful what you do or say when you are called or contacted.

What am I talking about? A principle I refer to as the CONTACT principle, which will keep your private information private:

If you don’t initiate the contact, you don’t provide confidential information.

For example, your insurance company calls and tells you there’s a problem with your insurance. They tell you that your agent is out of the office, but they will assist you. They ask you to verify your identify by providing your Social Security number and full home address.

Unless you recognize the caller’s voice or can verify who it is, you have no way of knowing whether the caller actually represents the insurance company because they contacted you–they could be calling from a deserted storefront near Redondo Beach.

A good way to check whether the caller if legitimate is to ask for the caller’s name and number and tell them you need to call back later. Most scammers will not give you a phone number. If you don’t receive a phone number, it’s dial-tone time.

Even if they give you a phone number, remember the source–someone you don’t know gave you that number, so don’t trust it. Look up the phone number on the Internet or phone book and use that number to call back.

Happens at Work, Too

The same thing can happen at work, where your guard may be even lower, because you’ve been trained to be helpful. Be careful how much detail you give callers about the applications, processes, and security safeguards that your company uses; be especially careful regarding any current strategic projects and the like.

A favorite social engineering trick is to call late in the day, especially on Fridays, when people are anxious to leave for the day or weekend. Another good ruse is to pose as a VP who breathes fire when you do not provide information (or do something, like resetting a password) immediately. A third ploy is to request documents be sent to a Yahoo/Gmail/etc. account because a user “can’t log into the company network” due to password issues, lost authentication token, etc.

I’ve never worked for a company that criticized employees for verifying someone’s identity before performing a sensitive task or providing confidential data. However, this can be a sticky area, especially if you work on the help desk, so if you’re in doubt, escalate the call to a supervisor (who has super vision, right?).

Every rule has exceptions—if you can identify the person on the other end of the wire, then proceed cautiously. However, you’re much safer when you initiate the process.

Careful with Email

The same principle applies to email. Don’t trust hyperlinks or attachments from those you don’t know. Of course, these days, you have to be cautious with email and attachments from people you DO know, because modern malware can spew its venom to everyone in an email contact list.

When to Share Your Secrets

When YOU contact someone for information or to purchase an item on the Internet, and they ask for confidential data, it’s usually safe to give it to them, because YOU initiated the contact and controlled how it occurred.

The beauty of the CONTACT principle is that it is simple and effective. Instead of educating others about the various types of scams and how to avoid them, you can teach them this one principle, and it will protect them from a host of problems. Even children can easily master it.

Again, the CONTACT principle:

If you don’t initiate the contact, you don’t provide confidential information.

Read other Security Scope posts.

Advertisement