Email is great and I love it. But, when it comes to getting action done, nothing works better than a good old fashion live conversation. Job consellors will always tell you that an email isn't enough if you are trying to get a job. You need to follow it up with a call or visit.  This is true in finding a job but it also works for people trying to scam you or your business.

In my experience a phone call is gold when you are trying to pull off a social engineering attack. You can try to accomplish the goal through email or fax but if you really want to take someone for a ride you need to talk to them. This is assuming of course that you can keep up your character properly during the ruse!

The problem is that most of us are trusting. If somebody calls us with a plausible problem that we can help solve, most of us will want to help. This is a good thing...unless what they are asking is part of a deception.

There are a lot of great example of things you can do over the phone. We've had success getting passwords, vacation schedules, network architecture information, and getting users to execute malware applications (through step by step instructions) among other things.

Now, this isn't to say that if any person calls that your employees are going to give away the farm on the first conversation (although they might!) Usually these sorts of attacks happen over several calls. Usually the attacker willl start with small simple conversations that are meant to build repor and then they will build on that information to get other things done.

So how do you defend against these sorts of attacks? Well, first of all, you need to educate your users that these sorts of attacks exist. Give specific examples so that they can understand some of the ways they will appear. Secondly, you need to have specific processes in place to help your employees make good decisions. For example, a standard verification test for incoming callers. If someone is claiming to be an employee there should be ways to verify that. You can also limit the types of information that people can give over the phone to unverified callers.

The more situational tools that your employees have the better they will be at making good security decisions.