Another example of a social engineering scam, and another example of why awareness and training are so important for safeguarding information…
On May 10th the U.S. Securities and Exchange Commission (SEC) issued a press release warning that imposters were calling companies, claiming to be SEC examiners, and demanding “immediate access to confidential records.”
“On more than one occasion, unknown individuals have attempted to impersonate SEC staff. These individuals have contacted firms by telephone, identified themselves as members of the SEC staff, and demanded immediate access to confidential records. In some cases they claimed to be conducting an ‚Äúemergency‚Äù examination. In others they claimed to be gathering information on behalf of some well-known SEC official. Luckily, in the incidents known to us, the impersonation was discovered in time and no confidential information was shared.
If you have reason to suspect that a caller claiming to be an examiner or other member of the staff is not a member of the SEC’s staff, consider taking the following steps. You can ask for the caller’s name, office, and telephone number, and tell the caller that you will return his or her call. The telephone numbers of all SEC offices are available on the SEC’s web site at: http://www.sec.gov/contact/addresses.htm. Using the telephone number on the SEC’s website, call the main number of the particular office that the caller identified, and ask to speak to the SEC staff person.
Most importantly, if the caller makes you suspicious, do not share any confidential information until you have verified the caller’s identity. If the caller resists providing you with proof of identity, or your effort to contact the caller through a published SEC telephone number is unsuccessful, do not give the caller any information, and please report the incident to the Examination Hotline at (202) 551-EXAM, or to the SEC’s Inspector General at (202) 551-6060.”
I have seen similar scams work quite effectively over the years within organizations. Personnel at all levels generally want to work with people they perceive as government or law enforcement representatives, people of authority, and will often drop what they are doing to provide assistance, believing they are doing a service to their organization.
This points to the importance of:
* Verifying callers and people who show up on site to validate their claimed identities.
* Having procedures in place to validate identities.
* Providing training for the identity validation procedures, along with other social engineering schemes.
* Providing ongoing awareness of social engineering as part of your full information security and privacy awareness messages.
I believe small and medium sized businesses (SMBs) would be particularly susceptible to this scam; they typically do not have the information security or privacy staff, expertise, or resources available to keep up with these issues.
It will be interesting to see any accumulated information about how many businesses fall victim to this scam.
Please, make your personnel aware of this before they give away your company’s confidential information…and perhaps subsequently the business itself.
Tags: awareness and training, Information Security, IT compliance, policies and procedures, privacy, risk management, SEC, SMBs, social engineering