An urgent call.

• 

Обновлено 18.08.2025 05:06

 

Telegram channel: https://t.me/protectioninformation

Telegram Group: https://t.me/informationprotection1

Website: https://legascom.ru

Email: online@legascom.ru

 

In general, social engineering is a very powerful tool, with the right ability to conduct a conversation (remember the scout Stirlitz), the interlocutor will tell you everything you need.

To begin with, I'll give you a short story about the famous hacker Kevin Mitnick. He managed to steal information even from those network segments that were not connected to the Internet. This was done as follows. Let's say Department A has an internet connection, but Department B of the same company does not. Mitnick, having the company's address book, called an employee of department B, posing as an employee from A, and politely asked to send him a fax with the information he was interested in, explaining that he was out of the office and urgently needed this information. Someone refused, but sooner or later there was bound to be an employee (usually a woman) who complied with the hacker's request.

Despite the fact that this story has been around for decades, this method of obtaining information is still being practiced. For example, someone who can't be heard very well calls you on your mobile phone, introduces himself as a real-life employee, and asks you to provide, for example, the contact information of your supervisor or one of the other employees. This is explained by the fact that the caller is outside the office and he urgently needs this information. Many people in this situation comply with the caller's request. But it could be an attacker.

The correct course of action in such a situation is to politely refuse to provide information. For example, you can say that you can't hear well and ask them to call you back later. However, this is not enough. Ideally, this call should be reported to the company's security service. If there is none, or for some personal reason you do not want to contact them, then at least inform your immediate supervisor.

By the way, the same security service often conducts similar "exercises", calling its employees on behalf of unknown persons. If the required information has been received, the employee will be punished, if nothing has been learned, but the security service has been informed, the employee will be encouraged. Many will consider such provocations immoral, however, this method is taught not only in educational institutions of the relevant law enforcement agencies, but also in various courses on information security.

But in general, user actions in such situations should be clearly spelled out in the corporate security policy, which is signed by each employee upon hiring.