Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Information Security & Privacy Awareness: Engage Personnel In Thinking About the Issues To Improve Security and Privacy | Main | High School Cyber-Defense Competition: Mentoring Information Security Leaders of the Future »

Social Engineering & the Need for Awareness & Training: Fraudsters Are Calling Businesses Pretending to Be SEC Staff Members

Another example of a social engineering scam, and another example of why awareness and training are so important for safeguarding information...

On May 10th the U.S. Securities and Exchange Commission (SEC) issued a press release warning that imposters were calling companies, claiming to be SEC examiners, and demanding "immediate access to confidential records."

"On more than one occasion, unknown individuals have attempted to impersonate SEC staff. These individuals have contacted firms by telephone, identified themselves as members of the SEC staff, and demanded immediate access to confidential records. In some cases they claimed to be conducting an “emergency” examination. In others they claimed to be gathering information on behalf of some well-known SEC official. Luckily, in the incidents known to us, the impersonation was discovered in time and no confidential information was shared.

If you have reason to suspect that a caller claiming to be an examiner or other member of the staff is not a member of the SEC’s staff, consider taking the following steps. You can ask for the caller’s name, office, and telephone number, and tell the caller that you will return his or her call. The telephone numbers of all SEC offices are available on the SEC’s web site at: http://www.sec.gov/contact/addresses.htm. Using the telephone number on the SEC’s website, call the main number of the particular office that the caller identified, and ask to speak to the SEC staff person.

Most importantly, if the caller makes you suspicious, do not share any confidential information until you have verified the caller’s identity. If the caller resists providing you with proof of identity, or your effort to contact the caller through a published SEC telephone number is unsuccessful, do not give the caller any information, and please report the incident to the Examination Hotline at (202) 551-EXAM, or to the SEC’s Inspector General at (202) 551-6060."


I have seen similar scams work quite effectively over the years within organizations. Personnel at all levels generally want to work with people they perceive as government or law enforcement representatives, people of authority, and will often drop what they are doing to provide assistance, believing they are doing a service to their organization.

This points to the importance of:

* Verifying callers and people who show up on site to validate their claimed identities.
* Having procedures in place to validate identities.
* Providing training for the identity validation procedures, along with other social engineering schemes.
* Providing ongoing awareness of social engineering as part of your full information security and privacy awareness messages.

I believe small and medium sized businesses (SMBs) would be particularly susceptible to this scam; they typically do not have the information security or privacy staff, expertise, or resources available to keep up with these issues.

It will be interesting to see any accumulated information about how many businesses fall victim to this scam.

Please, make your personnel aware of this before they give away your company's confidential information...and perhaps subsequently the business itself.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on May 14, 2007 9:28 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/407

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.