A Multi-Staged Attack – usually a phishing email, followed up by a phone call.
It works because like Michele says…
… “if it comes from more than one source, it must be true.”
The Attack
A call will come in, and a stranger will have a believable story that relies on the email they sent you.
What they’re asking of you won’t seem like a big a deal… maybe they’re seeking a little piece of information, or for you to perform a seemingly mundane task on their behalf.
The call will have a sense of urgency, a realistic reason why they need you to do something ASAP. It will seem logical.
The attacker will be slick with words, and you’ll start to feel like helping them
“People don’t want to be rude, it’s a social faux pas. This attack exploits our natural instinct to be helpful” says Michele.
The Defence
– don’t click any links in the email they’re referring to
– ask yourself if the call is coming from an expected source?
– be the outgoing call
– buy yourself time. Say something like, “I’d happy to help, but you caught me in the middle of something. Let me finish it and I’ll call you right back, what’s your number?”
I can confirm the effectiveness of this attack.
Did this for years back in the early days of the internet – not for nefarious reasons, but for sales. It was amazing how many strangers would take my call.
Chain of Events
Search for companies who would benefit from buying advertising on my site > copy/paste sales email that concludes with, “I’ll followup with you in a couple days” > send, then wait 2 days > phone them, “Hi it’s Keri, I’m calling to followup on the email I sent, sure I’ll hold for the manager thanks” > close sale
This has been Part 3/3 in a series with Michele Fincher of Social Engineer, Inc., a premier consulting and training company which specializes in the art and science of social engineering (SE.)
Meet Michele here
Blog tag = social engineering (25)