I got a report today from an employee who had just gotten a call from someone claiming to be either working for Dell, or on behalf of Dell. The caller's story was that they were working for the Dell credit card payment office, and that they wanted to validate a certain purchase. If we would please provide them with some additional information of one of our students, Dell would be able to help this person with their purchase much better.

The employee did not provide the information, terminated the phone call, and reported it to me.

So far, so good!

However, as my discussion with the employee continued, it did not so much bother her that someone called her for that kind of information, but much more so that she could not validate that it was indeed someone calling on behalf of Dell.

However much I tried to explain that it does not matter if that person worked for Dell or not, because the issue that Dell might have with one of our students is an issue between that student and Dell; we are in no way part of that. Somehow, that message just did not sink in. 

So, now I am left with a gnawing doubt; while no information was shared, the request was denied for the wrong reasons.

If a social engineer is able to convince someone that they are doing the right thing by disclosing information, success is practically guaranteed. After all, people WANT to do the right thing!

I guess it is time to kick up our internal training another notch: no matter what the reason is that someone calls, do NOT disclose ANY information, unless you are CERTAIN that you are:

1) trained to disclose that information

2) authorized to disclose that information

3) verifying who you are disclosing that information to

4) certain about what you are disclosing

5) documenting that you are disclosing it.