189 views 5 mins 0 comments

A hacker just called your office. Do your front-line personnel know what to say or do?

In News, Commentaries and Analyses
March 03, 2024
A hacker just called your office. Do your front-line personnel know what to say or do?

Regardless of whether you work for a big corporation or a small- or medium-sized business, you need to have a plan as to how you will respond in the event of a data security incident.

Many plans begin with what to do once you discover a breach, but do not neglect to ensure you have multiple ways of even finding out about a breach or problem. Here are some questions to ask yourself:

  1. If someone finds your data is exposed on the internet, does the home page of your website provide them with information about how to contact you via online and phone?
  2. If somebody calls you on the phone to alert you to a leak or breach, do all of your front desk people know to whom to transfer the call? And if no one is available, do your front desk people know what to ask the caller? Is this included in your onboarding and new employee training? Are these procedures periodically reviewed and rehearsed?
  3. If an employee receives an email with a subject line about a data breach or leak, will the employee ignore it as just a phishing attempt or will they forward it promptly to your IT person or vendor for further assessment?

How did you do on that preliminary self-assessment? If you are not really sure what your employees would do, it’s time for some more training. You might be surprised to learn how many researchers and journalists find it very frustrating trying to make entities aware of breaches. If someone is reaching out to you to alert you to a problem you have, make sure they can alert you without having to go through a million hoops.

But what about when it’s not someone well-intentioned who is trying to reach you? What about when it is a criminal who wants to extort you?

When a hacker calls

In the past, criminals who hacked their victims’ data might leave a note on their victim’s desktop screen alerting them to the hack and giving them instructions as to how to contact the hacker to pay their demands. Over time, other methods have been used. Some groups leave a “READ ME” message on every compromised computer that gives the victim a website address to reach the hackers. Some groups have had office printers spitting out instructions on contacting the hackers. Other groups simply call their victims on the phone to tell them they’ve been hacked. At one point, it was said that the Conti ransomware group had offices set up for call-center employees to make calls to victims.

The following is an actual call to a victim who was recently hacked by a lesser-known criminal group. The audio file was uploaded to the criminals’ dark web leak site. Listen to the call and think about whether your employees would know what to say or do in this situation.

How well do you think this employee handled the call? And would your employee(s) have done as well or not with a surprise call like this? If the victim’s IT department already did know about the the breach, should front-line personnel have been told and prepared with responses for any callers?

The next day, the hacker called back and was transferred to a different employee who also claimed to know nothing of any hack. The Data Breach Times does not know if this second employee was intentionally trolling the hacker or was responding genuinely, but some of the employee’s responses may seem humorous to those who are experienced with these types of attacks and criminals. By the end of the call, though, the employee tells the hacker she would never negotiate with a hacker or terrorist.

See what you think of how this was handled and think about whether your team needs to have more discussions about what to say and what not to say in the event the phone rings and it’s a criminal hacker.