The other day I received a call from a social engineer. She was quite pleasant as she attempted to gather information from me. Her starting set of knowledge was my business name, address, and phone number. This information is readily found in commercially available databases or for free on this web site. She also knew the name of my phone carrier. That is also easily discovered through any of the search engines. So armed with all of this, she started her pitch.
Her approach was to state that she was contracted by my phone carrier to contact me regarding their error. She claimed the carrier had been caught by the FCC overcharging for long distance service. All I had to do was answer a series of questions and I would have my service change to a lower cost plan. By this time I suspected a social engineering attempt.
When you suspect an attempt, remember you have the technology resources at your fingertips that can be used to your advantage. Here are a few things to do while on the phone:
- If you have caller ID, use a search engine to check the phone number and business name. Are other people reporting issues connected to this phone number?
- Bring up your online billing statement. Do the details of the social engineer match the statement?
- Research current scams in the news. Does your social engineer's pitch match one of these scams?
It was evident from my research that she was not who she claimed to be. I don't know if she was trying to scam me into changing service providers (slamming) or if the series of questions would have been used for identity theft. I told her she was attempting to scam me, thanked her for the entertainment, and hung up.
After you hang up, let your carrier and the Federal Trade Commission know what is going on. Most carriers have a web form, email address or phone number you can use to report a social engineering attempt.
While your individual report may not be meaningful, when combined with other reports a pattern may emerge that could assist investigators