July 13, 2016 SOCIAL ENGINEERING

Fear, Urgency, and Doubt: The FUD of Social Engineering

Having worked in the cybersecurity sector for 5 years, I’ve become quite the skeptic when it comes to unsolicited phone calls from one of my service providers. Last week, two so-called AT&T associates contacted me about the same issue. When I questioned their legitimacy, one associate reacted defensively, while the other remained calm. Here’s my story:

The Phone Calls

I received the following text message last week:

AT&T Free Msg

 

 

 

 

Strange … I hadn’t made any changes to my account.

While searching for AT&T’s customer service number, my phone rang.

Linda: Hi, this is Linda from AT&T. We’re contacting you to let you know that AT&T accidentally added a number to your account, and we sent you a temporary PIN that we need you to verify, so that we can fix the problem.

Me: Thank you for letting me know, but how do I know that you’re really from AT&T and this is not a scam?

Linda (getting angry): Because I’m calling you to tell you that AT&T accidentally added a number to your account …

Me: But how do I know that this is not a scam?

Linda (on the verge of fuming): BECAUSE I’M CALLING TO TELL YOU WHAT HAPPENED!

Me: How about I log into my account and, if I see an issue, I’ll call you back.

*Linda hangs up*

Why would someone from AT&T get mad at me, the customer, when THEY made a mistake? Answer: They wouldn’t.

I ended up contacting AT&T directly to confirm that no changes had been made to my account.

Six days later, I received a second phone call from “AT&T.” This time, it was a man calling me about the same issue.

“AT&T” Guy: We’re contacting you to let you know that AT&T accidentally added a number to your account …

Me: One of your colleagues called me earlier this week and I’m pretty sure you guys are trying to scam me.

“AT&T” Guy: Absolutely not, ma’am.

Me: I already spoke with AT&T and no number was added to my account.

“AT&T” Guy: It’s a 601 number. Are you sure you spoke with the billing department?

Me: How about I log into my account and if I see an issue, I’ll call you back.

“AT&T” Guy: Absolutely, ma’am. No problem.

I contacted AT&T directly and they (again) confirmed that no changes were made to my account.


The Strategy

Social engineers go beyond merely asking strategic questions to acquire personal information; they prey on your emotions so that you don’t have an opportunity to hesitate. In the first example, the text message and Linda’s subsequent phone call attempted to instill fear (if you did not request change …) and create a sense of urgency (call 800.331.0500 ASAP).

Fear is a powerful emotion; couple that with the thought that your account was hacked, and we have instant panic mode. Conveniently, your phone rings in that second … it’s Linda, coming in to save the day.

In the second example, “AT&T” Guy’s eerily calm demeanor had me questioning whether or not I had spoken to the right person at AT&T. Now, in addition to trying to instill fear (that there was something wrong with my account), he had me doubting myself. Maybe this guy really was from AT&T.

These are only a couple examples of tactics used by social engineers. It’s relatively easy to get caught in their traps, as they attempt to grab you in that moment of fear before instincts pull the brakes. Had I continued with either phone call, it would have only been a matter of time before they asked for my passcode. With passcode on hand, they could add phone lines, make changes to my plan, request confirmation of personal information (e.g. “I moved recently and just want to make sure you guys have the right address on file.”), etc.  Easily.

I’m thankful my skepticism kicked in. Most importantly, if you receive an unsolicited phone call from AT&T, hang up. Locate AT&T’s customer service number on their website and call them directly.  Find out for yourself if the call was legitimate to begin with.