Crooks look for easy targets. When it comes to IT security, I’m not an easy target. I’m an IT consultant and should know better than to fall for scams. But in the middle of the night in a hotel, anyone who answers a phone can become a target.
As an IT consultant, it’s part of my job to assess where Information Security (IS) stands within organizations and to guide clients towards stronger IS practices. IS breaches can come in many forms; a hacker can gain access through vulnerability scans, packet sniffers, or phishing. Such is the case with the most recent public released breaches at Target and certain Marriott properties.
I experienced this firsthand recently while staying at a Marriott. The hacker attempted to get my information through social engineering.
Be alert, even when caught off-guard
I got a late-night phone call on the hotel phone. After several rings, I managed to wake up enough to answer the phone, but I’ll admit that in my sleepy haze I wasn’t thinking clearly like the technology consultant that I am.
The caller, claiming to be a Marriott employee at the front desk, stated that the hotel system had failed, erasing my information on file. The caller asked for my name, which I provided. However, once she so kindly asked for my credit card number (so as to not inconvenience me by making me go down to the front desk) my IS senses kicked into full swing and I told her absolutely not.
The caller tried again, saying that there was already a line of people and we can easily take care of this on the phone to save me a trip to the lobby.
I hung up, got myself out of bed, and trudged down to the front desk to find out what was going on with the hotel’s system in the middle of the night. Safe to say there was no line, nor was there an issue with my information on file. I had been the subject of an attempted attack. Luckily, I knew better as I had been trained to look for the risks, allowing me to see red flags, even in a sleep-deprived state.
Training, training, training
The moral of this story is that an organization can have all the security policies, plans, and protocols in place, but, at the end of the day, it’s training the employees that truly protects your organization. Awareness of all staff, not just those in IT, is the only defense against social engineering and phishing attacks that can destroy the security around the system you have worked so hard to protect.