Here’s a frightening story that a friend and reader sent me today. (The company name and phone prefix have been changed to protect the innocent and naive.)
We often get calls from CableTV employees looking for CableTV’s Help desk. Their phone number begins with 903; one of our DID ranges is 902. Today we received a call from some CableTV guy who couldn’t log in. One of our people politely explained that the guy had dialed the wrong number.
The guy immediately called back. Our CIO enjoys occasionally playing with these people when they continually misdial (asking for free cable TV to unlock their account, etc.), so I had the CIO answer the phone. Our entire IT staff heard his side of the conversation. It went something like this.
“Okay. Can I have your user ID? Great, and what’s your password? Okay. Let me have the last four digits of your Social Security Number. And your home address? Thanks. Well, listen. You work for CableTV right? You’re calling the wrong Help desk. Yeah, our phone prefix is 902, not 903. You really need to be careful who you give your information out to. You don’t even know my name. No company Help Desk should ask you for all of your personal information, especially your home address and Social Security Number. You gotta be careful, dude.”
The four of us were literally dumbstruck listening to this whole conversation.
Do your users know any better than the CableTV guy? How are you educating people in your company to ensure that they don’t fall prey to social engineering or just plain naiveté? I’d love to hear your experiences with security issues that come from users being too trusting and providing information they shouldn’t!