IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

    Social Security Administration

SYSTEMS
SECURITY
BULLETIN

March 10, 2000


SECURITY REMINDER – SOCIAL ENGINEERING

SCAMS AND TRICKS TO OBTAIN INFORMATION FROM YOU

There have been instances in which SSA staff were "tricked’ into disclosing sensitive information. The common term for such tricks or scams is "Social Engineering". This is because the person attempting to get the information plays upon the good or helpful nature of the unknowing employee. They may flatter you or come across as really needing your help or attempt to persuade you that they are performing a service for you.

Sometimes they will pretend to be a fellow employee who needs access because their "system is down". They may try to engage you in conversation and may even know and mention a co-worker’s name in an effort to establish a feeling of mutual helpfulness. On other occasions, they may assume an authority persona to trick you into supplying information.

In one instance, the "trick" was accomplished by an individual posing as a network engineer and troubleshooter who needed a specific "ID" and password to verify that a problem on the network was fixed and would not reoccur. This individual was able to persuade an employee to provide an "ID" and password that had the access rights which the requestor desired. In other instances, callers have identified themselves as staffers from congressional offices or local agencies alleging attempts to serve a constituent. In actuality, some of these individuals were part of a group obtaining this information for illegal purposes.

To effectively combat these bogus/trick calls and social engineering scams:

  • always identify telephone callers requesting information
  • never disclose your password to anyone for any reason
  • always report suspected instances of abuse to your security officer immediately

There is never a good reason to give your password to anyone. If someone identifies themselves to you as a support person or user who needs to borrow your "ID" and password, try to identify them but do not give them the requested information. Ask for a number where you can call them back and notify your security officer immediately.

Office of Information Systems Security
SSA Pub. No. 31-041