Privacy Ref Blog

Social Engineering is a Massive Problem

Recently, a large number of YouTubers and other celebrities have been “hacked” or lost control of their accounts.  The truth of the matter is that they aren’t being hacked, but instead the person taking control of these accounts is just having others do it for them.  The people and groups helping them are not who you think.  They are not hackers, black market data dealers, or even criminals, but they are customer service representatives and other professionals who are meant to protect your data.

Social Engineering: Laying Blueprints for Mayhem

Social engineering is the act of manipulating others to act in a certain way.  In the most basic example, you pretend to be something you are not to gain access to something you would not normally be able to.  In the case discussed in the introduction to this blog, it is phone providers.  The bad guys start by calling the cell phone service provider of their target.  They then state that they are the person they are targeting or another employee of the provider.  They are then provided the access they needed, either through a reset password or access a SIM card.  The target’s information is now available.  This means things like phone calls, texts, and possibly emails are now in the hands of someone who means to do harm.

Let the Games Begin!

Once our so-called hackers have this information, they gain access to accounts, changing passwords and ownership of these accounts over to themselves.  Sometimes it is as harmless as renaming every video on a YouTube channel, simply showing off or bragging about their deeds.  Other times they are not so innocent, taking money from financial accounts, deleting entire accounts, or using the account to spread links to malware or other malicious sites.  Even if you are not a YouTube celebrity, this can still affect you or your business.

Protection = Awareness!

So how do you stop this?  How do you protect yourself or your customers from these kinds of attacks?  The answer is very simple and you most likely already do some of these things.

First, you need to make sure employees verify everything when working with someone who is not in person.  If the hacker claims to be another employee, ask for the name of their manager, an employee badge number, or any number of pieces of personal information all of your employees would know about themselves.  It might take a few seconds to complete this verification, but a data breach will take a much longer time to control.

Next you want to make sure that if you use knowledge based questions, they are good questions that are not openly known.  Asking for a mother’s maiden name, the name of a pet, or the school they attended may seem smart, but many of these facts can easily be found through social media.  Facebook is a treasure trove of information when you need to answer a security question.

Use questions that are obscure but easy for a customer to remember.  Being creative here is only going to help you in the long run. A good practice is to have each employee create their own questions and answers. If it is a customer that is involved, ask them about a recent transaction.

Finally, train your employees on these policies at least annually.  It doesn’t take long to make sure they refresh themselves on the basics of protecting customer information or how to verify who they are communicating with.  It is also good to train them on what schemes they may have to deal with, understanding the privacy metagame.

Privacy Ref provides consulting and assessment services to build and improve organizational privacy programs. For more information call Privacy Ref at (888) 470-1528 or email us at

Posted on July 25, 2016 by Ben Siegel

« »

No Responses

Comments are closed.

« »

Subscribe to our mailing list

Please fill out the form below.


Want to find out more?

Simply go to the contact page, fill out the form, and someone from Privacy Ref will be in touch with you. You can also send an email to or call (888) 470-1528.


May 10, 2017

Predictive Breach Cost Model
Download our predictive breach cost modelhere.

Latest Blog Posts

October 30, 2017

PSR 2017 in Review
After a long trip from the northeast to San Diego, I finally made it to another exciting Privacy, Security, and Risk Conference from the IAPP. With GDPR on the horizon, the air was thick with discussion of this regulation in effect in May of next year. Even more so, a lot of questions received at the Privacy Ref booth were focused on this law, or preparing a privacy program through assessments data mapping. Overall, a great show with a few major themes. Continue reading this post...

The key to effective privacy training
I spend a lot of time facilitating privacy training. Whether it is directly for our clients or on behalf of the IAPP or their training partners, there are common elements to a successful educational event. Continue reading this post...

Other Recent Posts