In a recent incident, a man called a 24-hour Wal-Mart in Ohio and explained to an associate that he was with Wal-Mart’s IT department and needed the associate to activate several gift cards, read to him the card numbers and then provide the authorization codes from the back of the cards. The associate willingly did so – and not until $11,000 in online fraud later, did the store realize they had been tricked.
This is a great lesson learned to share with your employees (and third-parties). Do your employees understand your organization’s policies on providing/protecting information in different situations?
The Wal-Mart caller did not give the associate any reason to believe he was really from the IT department…do your employees understand authentication procedures and passwords?
The Wal-Mart caller did not explain why the IT department was making the request…would your employees be suspicious? Would they know how and where to report the suspicious caller to the appropriate personnel?
Do your employees understand how to protect sensitive information or would they willingly provide information over the phone in the spirit of good customer service?
Do your employees participate in ongoing situational awareness training? Are you updating your employees as new social engineering techniques, risks, and threats change?
Have your employees acknowledged their individual roles and responsibilities in case of a lawsuit or termination?
Even if your IT department has the most sophisticated and expensive technology solutions in the world, all of it can be bypassed if your employees fall for simple social engineering scams.
Are you educating your employees on best practices for protecting information?