Prehistoric Phishing

Tim Callan recount the parallels between the type of phishing that occurred before the internet (social engineering over the phone, etc...) and today's current phishing.

At one point in my life before I joined VeriSign, my wife and I both operated consultancies out of our house. We often picked up each other's phone lines if it was more convenient, feeling free to fend off the telemarketers and pass along the calls that mattered.

One day my phone rings. I'm in the kitchen getting a drink, so she picks it up. As I walk back into our joint office, she's holding the handset and looking at me.

"It's about your company AmEx card," she tells me, puzzled look on her face. Puzzled for the simple reason that my one-man consulting firm did not have an American Express card.

Immediately I knew what it was. I took the phone and asked how I could help.

The voice on the other line states, "This is American Express. We've come up with a questionable charge on your corporate card."

"Uh huh..."

"I need to access your file. What's your card number?"

I didn't want to invest too much time on this little expedition, so I went straight for the close. "I'm on the other line with a customer right now. Is there a number I can call you back at?"

Click.

Obviously that wasn't American Express calling us. It was what they used to call a blagger. A blagger is someone who calls people on the phone and uses deception to get them to reveal information they shouldn't. A blagger is a specific form of con man. A blagger is an offline phisher.

The point is that phishing is just the latest extension of the social engineering phenomenon.

What a prehistoric phish looks like - [Tim Callan's SSL Blog]

Originally posted on Sun Feb 17, 2008