A Social Phailure

It’s no uncommon event for your email spam folder to be full of phishing emails exhorting you to confirm your SSN or credit card details with your bank or demanding your account details for an online game to avoid it being canceled because of cheating activity detected. It’s less often that the phishing attempt arrives over the phone.

Last week I answered a call on my work phone whose caller ID showed “unknown”. I’m already predisposed to ignore such calls because of telemarketing. However I can imagine some situations where one of our customers’ phone exchanges would not appear on caller ID. So I answer.

A man politely informs me that he needs to confirm my email address in order to send me a tracking number for a FedEx package. I prefer to think that I’m a suspicious person rather than a cynical one. This statement was immediately suspicious because it was an out-of-the-blue attempt to extract information from me and I rarely receive packages. To be clear, my work email address is trivial to find (as apparently is my phone number). In fact, the caller had the correct email address. He only wanted me to confirm it.

I evaded acknowledging the email address which led the caller1 to assert that the package couldn’t be sent without giving me a tracking number. Here he also tried to deflect my suspicion by mentioning that the package was from Chase Bank. And it was to be delivered tomorrow, but I needed to confirm my email so “They” could send me the tracking number.

I mentioned that I was confused why the package couldn’t arrive unless the tracking number was acknowledged. A little earlier in the conversation I had asked the caller’s name. He replied, “Jason.” Now I asked another question, “Could you tell me who the sender is?” After all, maybe I’m being overly cautious and Chase Bank wants to send me lots of cash for some reason.

The answer was even more telling, “We don’t have access to that data. For privacy reasons.” Even though the package was apparently coming from Chase, I was being told that the sender’s information was obscured from this poor FedEx rep’s view. Giving me a somewhat contradictory explanation doesn’t build my confidence in the goal of this call.

By now I was explaining that if the package doesn’t arrive because I refused to acknowledge my email address then I was sure the sender would deal with the problem. The caller made a final effort at confirmation, at which point I said something along the lines of, “Send an email if you want, but I’m not going to look at it. We’ll see if a package arrives.”

There’s potential for fun to be had with turning the tables on cons and phone phishing attempts like this. Yet the call was grating and it was time to hang up. Neither email nor package arrived. Quelle surprise.

I can only speculate on the ultimate goal of this phishing attempt, but I suspect the immediate objective was to soothe any suspicions about receiving an unsolicited “Fedex package tracking” link so that I’d click on it. I would probably also have been reminded to check my spam folder in case the email was accidentally marked as spam. A link, of course, leading to a site laced with malware that would like nothing else than to infect my already abysmally slow desktop.

The simplest, most straight-forward way to end the call could have been, “I have a pen and paper right here. You can just give me the number now.” This would not only have called the bluff, but might have provided brief entertainment as the caller tries to make up an excuse for not being able to give the number over the phone or lamely creates a number on the fly.

There are some very basic things you can do to possibly foil a social engineering attempt or build confidence in the claims of an unsolicited caller. The easiest step is to politely ask simple questions:

  • What’s your name? On who’s behalf are you calling?
  • Do you have a number I where can call you back?

If you’re confused about something or a statement seems odd, ask for clarification. Social engineering usually relies on the human characteristics of greed or the desire to be helpful. You don’t need to counter a possible attack by being rude or belligerent (although it probably helps to not be greedy). After all, someone may be calling for good reason.

Good questions might fluster the attacker or further erode your trust in the call. However, there’s always the chance that answers will seem reasonable. In any case, you can always report suspicious calls to your IT or security department. That way you can help them identify a trend or to be more vigilant for certain activity. You probably don’t want to be the reason your company’s passwords, source code, or financials appear on a peer-to-peer file sharing network.


1 I’m being nice by referring to him as “caller”. Unethical jerk is merely the tip of the iceberg of more suitable names.

Published by Mike Shema

Security, RPGs, and writing. Immersed in music (80s), sci-fi (dystopian), and horror (spooky). #synthwave Host of the Application Security Weekly podcast.