Recently, our company encountered a social engineering attack firsthand. One of our engineers received a call from a con artist claiming to be a QuickBooks troubleshooter. The caller wanted to fix an issue for one of our clients, but our engineer followed our best practice for incoming vendor calls and quickly determined that the call was not legitimate. After asking several screening questions, such as who was calling, what the issue was, and who had reached out to QuickBooks for support, our engineer realized this was a scammer. Following that, the fraudster hung up the call, and our engineer prevented a potentially detrimental situation.
Click below to listen to the phone call.
With every call we receive, we follow our security procedures to screen phone calls. As you heard in the voice recording, our engineer asked specific questions that helped determine that this was, in fact, a social engineering attack. If our engineer had not asked security questions, the hacker might have posed as a legitimate QuickBooks employee and requested remote access to our account. They could have accomplished this by directing the person to a website or link containing malicious software, which could have enabled them to gain unauthorized access.
Between 70% and 90% of data breaches involve social engineering.
This incident highlights the dangers associated with social engineering and incoming calls that businesses receive. Malicious actors can employ strategies to persuade their targets to give out their login credentials, financial information, or other sensitive data by disguising themselves as authorized representatives of reputable firms such as Quickbooks, Microsoft, or Google.
Incoming calls pose a more significant threat to businesses than outgoing calls regarding social engineering. This is because the caller has a sense of control over the conversation. Callers can use social engineering techniques such as researching the company, employees, and clients to appear legitimate. Con artists can also spoof the phone number of legitimate companies to trick users into believing it is the real vendor calling. To protect against social engineering attacks over the phone, businesses should have procedures in place to verify the identity of callers, ask security questions, and redirect calls if necessary.
How should your business screen calls to prevent cyberattacks?
Reason for the call: Ask the caller to explain the reasoning for calling thoroughly. This can assist you in determining whether the call is legitimate or a social engineering scam.
Urgency
Ask the caller about the urgency of the call. Social engineers often use urgency to pressure people into providing information or taking actions they wouldn't normally take.
Credentials
Ask the caller to provide their credentials or employee ID number. You can call the vendor’s main public number to verify the identity of the caller using the ID information you collected.
Redirection
If the call seems fishy or the caller requests sensitive information, redirect the call to the appropriate department or supervisor to confirm the request's legitimacy.
Train employees
Train your employees on how to handle incoming calls and provide them with scripts or talking points to ensure they can quickly identify the purpose of the call and manage it effectively. There are also cybersecurity training and awareness software that will assist in helping users identify social engineering tactics.
Use an automated phone system
Consider implementing an automated phone system to screen and route calls based on pre-set rules or instructions. This can reduce the workload on your employees and ensure that calls are directed to the right people.
Set boundaries
Set limitations and standards for when and how calls should be handled. For instance, you might select certain personnel to handle specific calls or establish timeframes for receiving calls.
Keep records
Keep records of all incoming calls, including the date, time, and purpose of the call. This can help you track important calls and identify trends or issues that may need to be addressed. Recording calls is also a good practice for investigative purposes.
How can Infiniwiz clients determine if it is us calling?
- Infiniwiz's process when calling a client is to reference the issue they're having after greeting them, so if you hear anything different, remain cautious.
- Asking the purpose of the call and asking who from your company reached out to the caller is an important security note. This makes the person have to explain themselves, and if they can’t tell you who reached out or the issue, it is a hacker.
- If you regularly speak with our IT team, it’s likely you will recognize our engineers' voices. When we have a new engineer onboard, we will always inform all our clients in case you may hear a new voice. You should always ask whom you are speaking to when you do not recognize the caller.
- Do not rely on recognizing our phone number; it is quite simple for con artists to spoof any phone number and trick you into thinking it is us.
- If you have an issue with a software vendor, like Intuit/QuickBooks, contact their official support channels to open a support case. Scammers will not have access to official support channels, so verifying through those channels can help identify fraudulent callers.
- Clients with doubts or questions can always check in with Infiniwiz for confirmation. In Infiniwiz's case, clients can call our support line at 847-499-1515 to verify with us or send an email to support@infiniwiz.
- If you’re not sure if the call is real, collect the name of the caller, call Infiniwiz, and ask for the person.
Overall, with any incoming call you receive, we advise our clients to exercise caution. Asking for the caller's name, number, and reason for calling will help them determine whether the call is legitimate. Clients can contact us directly to determine whether the call was legitimate or social engineering scam. Being attentive is essential. If you have any questions, feel free to contact us!