Establishing Digital Trust: Don't Sacrifice Security for Convenience
A pair of Australian radio hosts recently made a prank call to London's King Edward VII Hospital, trying to reach the Duchess of Cambridge -- and were surprisingly successful.
"The hospital inadvertently revealed new details about Kate's condition when Australian DJs Mel Greig and Michael Christian called in and pretended to be Queen Elizabeth II and Prince Charles, complete with exaggerated accents," writes ABC News' Christina Ng. "They even enlisted two co-workers to bark like the queen's corgis. The queen impersonator asked for her granddaughter and was promptly transferred to another hospital employee."
"The nurse looking after the Duchess gave confidential details of her treatment and of her condition, and even talked about what time it would be convenient for the 'Queen' to visit," write The Telegraph's Gordon Rayner and Steven Swinford. "A spokesman for the hospital said: 'This call was transferred through to a ward and a short conversation was held with one of the nursing staff. King Edward VII's Hospital deeply regrets this incident.'"
As Sophos' Paul Ducklin points out, there's an important lesson to be learned from the prank. "Social engineering -- where scammers trick you or your staff into revealing information they know they oughtn't to give out -- is surprisingly easy," he writes. "As Mel and MC showed, you don't have to get all the details right. In fact, you can get many or most of them wrong. You don't even have to be terribly believable. You just have to stick to your guns."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
"In order to minimize the risks posed by social engineering, experts advise organizations to educate their staff members to refuse to hand out information over the phone," writes Softpedia's Eduard Kovacs. "In the end, if the caller insists on getting the information, employees should simply hang up the phone. Furthermore, every company should have an internal hotline for reporting scam attempts. This way, timely alerts can be issued in case the firm is targeted."