I don’t remember exactly where I saw it or heard it, but I recall a story about an incident where a child was approached by a (potential) sexual predator. The child was told his mother wanted him home right away and — we’ll call him Mr. Friendly — Mr. Friendly was there to pick the child up. The child then asked Mr. Friendly for the password and was able to get away in the resulting delay caused by the confusion when Mr. Friendly couldn’t remember the password. The lesson learned here is that every child should have a secret passphrase and only trust those who can repeat that passphrase back to them. This could save countless lives. In fact, my wife had all our kids indoctrinated in this trick back in the day (she just reminded me). Thank heaven the kids never had to use it.
It could also save your corporate network.
Social engineers who call you pretending to be from Microsoft, your corporate office, or some other normally trusted entity are just the digital version of Mr. Friendly. And the same tactic will work on them.
Your organization should have a passphrase that is required to be known by every person on your help desk and any and all support personnel. Every staff member should be required to ask any caller who seeks sensitive information to repeat the passphrase. The passphrase should be changed on a frequency that is appropriate for your organization.
A typical scenario may go like this:
Caller: “Hello, this is Corporate Help Desk. We’ve noticed you have a virus. We can remove it, but we need your user name and password.”
You: “Sure, be happy to help you. What is the passphrase for today?”
You: <click> <dial IT deparment>
IT: “Hello, IT.”
You: “I just received a call from 555-5555 asking for my login credentials. They didn’t know the passphrase.”
IT: “Well done. Just in case, we’re forcing a reset of your password.”
Trust No One on the internet…