Gave my boss a 60 second talk about Social engineering

(Edwin Eekelaers) #1

About an hour ago i received a request to reset the password from someone’s AD account via a ticketing system. Since the ticket was auto-created based on a mail received from a gmail account i did not trust the thing at all. Had a chat with my manager and told him i’m not going to do that lest the guy actually calls me in person so i can ask him a few things only the genuine person can now.
I’ve been in the business too long to fall for such a trap. What would you do in such a case? Refuse & request a personal contact?

(Mpeli Mtowa) #2

sure I would do the same. I have come across users requesting such critical tasks like PW resets or elevating access privileges for a company that we did HelpDesk Support for. And they have very clearly defined rules that one would need to study the matrix to understand how to circumvent the matrix. This was always a training that all helpdesk techs had to be refreshed on every few months. It was very helpful

(Edwin Eekelaers) #3

And the guy hasn’t bothered calling yet… In 2hrs i switch off my phone & head home

(Steven Porter) #4

Absolutely the correct action. A real; user would have either been screaming at you or crying to their boss by now! :slight_smile:


Yep, too many bots out there…I’d require a call. Maybe even ask their employee ID number or something to authenticate them.


I would call the user to check it out first.

(Edwin Eekelaers) #7

Oh i do not doubt about the user but it came via a non company mail account so i replied i didn’t reset it and asked the user to call me directly. User never called :smile:

(John glover) #8

I often wonder how some people feel about the Easter Bunny and other polyanna activities when they fall for this ruse… For sure you would want to err on the side of caution and do the due diligence approach… Totally agree with the need to “trust but verify”… thoroughly!!! Great post!!!