Privacy Ref Blog

Social Engineering is a Massive Problem

Recently, a large number of YouTubers and other celebrities have been “hacked” or lost control of their accounts.  The truth of the matter is that they aren’t being hacked, but instead the person taking control of these accounts is just having others do it for them.  The people and groups helping them are not who you think.  They are not hackers, black market data dealers, or even criminals, but they are customer service representatives and other professionals who are meant to protect your data.

Social Engineering: Laying Blueprints for Mayhem

Social engineering is the act of manipulating others to act in a certain way.  In the most basic example, you pretend to be something you are not to gain access to something you would not normally be able to.  In the case discussed in the introduction to this blog, it is phone providers.  The bad guys start by calling the cell phone service provider of their target.  They then state that they are the person they are targeting or another employee of the provider.  They are then provided the access they needed, either through a reset password or access a SIM card.  The target’s information is now available.  This means things like phone calls, texts, and possibly emails are now in the hands of someone who means to do harm.

Let the Games Begin!

Once our so-called hackers have this information, they gain access to accounts, changing passwords and ownership of these accounts over to themselves.  Sometimes it is as harmless as renaming every video on a YouTube channel, simply showing off or bragging about their deeds.  Other times they are not so innocent, taking money from financial accounts, deleting entire accounts, or using the account to spread links to malware or other malicious sites.  Even if you are not a YouTube celebrity, this can still affect you or your business.

Protection = Awareness!

So how do you stop this?  How do you protect yourself or your customers from these kinds of attacks?  The answer is very simple and you most likely already do some of these things.

First, you need to make sure employees verify everything when working with someone who is not in person.  If the hacker claims to be another employee, ask for the name of their manager, an employee badge number, or any number of pieces of personal information all of your employees would know about themselves.  It might take a few seconds to complete this verification, but a data breach will take a much longer time to control.

Next you want to make sure that if you use knowledge based questions, they are good questions that are not openly known.  Asking for a mother’s maiden name, the name of a pet, or the school they attended may seem smart, but many of these facts can easily be found through social media.  Facebook is a treasure trove of information when you need to answer a security question.

Use questions that are obscure but easy for a customer to remember.  Being creative here is only going to help you in the long run. A good practice is to have each employee create their own questions and answers. If it is a customer that is involved, ask them about a recent transaction.

Finally, train your employees on these policies at least annually.  It doesn’t take long to make sure they refresh themselves on the basics of protecting customer information or how to verify who they are communicating with.  It is also good to train them on what schemes they may have to deal with, understanding the privacy metagame.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on July 25, 2016 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


April 16, 2018

IAPP Training Classes
Privacy Ref is proud to announce that we are an official training partner of the IAPP. You now have the opportunity to learn from one of our knowledgeable privacy professionals using the most respected training content in the industry. The robust interactive training offered, aids in the understanding of critical privacy concepts. The contents of the courses are integral to obtaining your privacy certifications and to educate your new team. Learn more here.

Latest Blog Posts

April 10, 2018

Facebook and Trust
I have previously written about the importance of a privacy program to in part, manage trust between an organization and its customers. As more data breaches occur and privacy is made more of an issue that is embraced and examined by the general public, this trust will become more important. One example of this is the evolving situation at Facebook. Continue reading this post...

April 9, 2018

Is Your Response Plan Responsive Enough?
So, you have a formal data breach response plan in place or an informal plan of action in what?  With Alabama and South Dakota in a race to become the 49th state to enact data breach notification legislation (for sure, no one wants to be the “last man standing” in this scenario!), it may be a good time to review your plan.  Continue reading this post...

Other Recent Posts