Policies to combat Social Engineering via Phone Calls

Two policies that can be enacted to help prevent social engineering via phone calls are-

Sharing of Sensitive Information on Phone Policy

“Sensitive information of <Company Name> will not be shared with an unauthorized

individual if he/she uses words and/ or techniques such as the following:”

  • An “urgent matter”
  • A “forgotten password”
  • A “computer virus emergency”
  • Any form of intimidation from “higher level management”
  • Any “name dropping” by the individual which gives the appearance that it is coming from legitimate and authorized personnel.

Social Engineering Personal Training Policy

A policy which specifies who gets trained, and how often, and training material to include awareness of attacks from people who

  • Claim to reporters
  • Sub-contractors
  • Employees (former and current)
  • Strangers who use seduction/ego-stroking methods
  • Vendors
  • Vendor Customer Support etc

However, the obstacles in implementing these policies could be-

  • Human nature – people are vulnerable to social engineering attacks – they are the weakest link in the security chain for a reason
  • Costs involved in training
  • Increasingly sophisticated attacks – makes it hard to keep the training up to date