Privacy Ref Blog

Don’t Take the Bait

Irony is a state of affairs or an event that seems deliberately contrary to what one expects and is often amusing as a result.  So when I got a phone call asking to speak with Bob Siegel about his room for the upcoming IAPP Summit, I was surprised by the ironic situation I was faced with.  After all, one would expect that an event specifically about privacy would not be dealing with issues like phishing.

Phishing is the act of sending emails or making calls trying to get PII while posing as someone you are not.  You may be familiar with individuals that call you around tax season, claiming to from the IRS and that they have a warrant for your arrest unless you pay a large sum of back taxes.  If you try to dig deeper, get more information, suddenly the story falls apart and it is proven to be scam.  This is what we saw.

The Line is Cast

So there I was, sitting in my office when my phone rings.  A man’s voice with a thick accent, one I could not identify, starts telling me about how he wants to help us get a lower rate on our hotel for the 2016 IAPP Summit.  He mentions the Georgetown Marriott, which is the wrong hotel and I get suspicious.  I give them Bob’s extension and say he isn’t available, call next week.  Afterwards, Bob calls me and we agree to let the IAPP personnel know what happened.  We suspect phishing or social engineering.

I left a voice mail for a contact at the IAPP, explaining what happened, and received an email back that I was not the only one reporting such an incident.  This isn’t hard to believe, since other exhibitors dealt with this same call.   The list of presenters is on the IAPP’s site, so getting their information, such as company name and phone number, is only a few clicks away.  Bob is listed as the CEO and Founder of Privacy Ref, so going to www.PrivacyRef.com gets our phone number right away.  All general calls go to me though.  Suddenly, it all makes sense how this scam works.

They have a plausible story, working with the hotels to adjust rates, they have the list of contacts, the IAPP exhibitors, and all of this is public information since the IAPP has to let attendees know who is presenting and where the event is to get people interested in attending.  These phishers are counting on you to panic and give up data, like credit card information, in the heat of the moment, compromising your privacy.  How do you know this is a scam though?

Not Getting Hooked

First off, never lose your cool.  Nothing is ever solved by panicking, but asking questions and getting more information can prove if something is scam or legitimate issue.  In this case, I did not have to ask questions since the phishing caller used the wrong hotel name.  If you get called and asked for any kind of credit card or similar sensitive information, ask questions.  Why do you need this?  Why can you not look it up yourself?  Can you tell me something to prove this is legitimate?  The last question is most important.  If someone says they are from the IRS and you owe back taxes, they should be able to tell you how much you paid on your last return, your current address, or where you worked last.  All of this is on your returns.  Most importantly, if it sounds too good to be true or completely outlandish, it probably is.  If someone from the government has a warrant for you, they are not going to call, they will show up with the police.

Just remember, businesses can help protect customers by having rules that are widely available and easily accessible to customers.  If you let customers know you will never ask for information in an email, you will help prevent email based phishing.  Calls can be difficult to predict, but if you set up standard protocols to handle calls, customers will know what is going on and be better able to detect a scam.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at info@privacyref.com

Posted on February 29, 2016 by Ben Siegel


« »

No Responses

Comments are closed.


« »

Subscribe to our mailing list

Please fill out the form below.

Required

Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to info@privacyref.com or call (888) 470-1528.

News

November 23, 2016

Quarterly Breach Webinar
On December 14th, Join Ben Siegel as he reviews recent data breaches, how they occurred, and what could have been done to better handle or prevent it. Sign up here.

Latest Blog Posts

November 10, 2016

Thoughts on Passwords and Privacy
Within 24 hours, I have had some interesting interactions with strong, or sometimes not-so-strong, passwords.  I figured now was a good time to go over some of the pitfalls you might encounter when trying to implement a new password policy for your customers or employees. Continue reading this post...

October 14, 2016

Facebook knows a lot
A few weeks ago, I was auditing a CIPP/US class that Bob Siegel was teaching on behalf of the IAPP.  Someone brought up the idea of openness and allowing individuals access to the data you have about them.  At this point, Bob discussed the principles behind this, such as how the OECD Guidelines approach it.  Bob also mentioned that under GDPR (and the EU Privacy Directive) a user should be able to see and correct information an organization has about them. Bob then mentioned it would be interesting to see what would happen if I asked a company about what data they had about me.  I immediately thought of Facebook. Continue reading this post...

Other Recent Posts

PRIVACY REF