Re: Steps to avoid Social Engineering

[John Blackley <jblackley () sysmatrix net>]

In-Reply-To: <8a9a90f405041811393557cacb () mail gmail com>

I sympathise with your problem and the first piece of advice I have for you is this: You may be able to reduce the risk 
and you may not be able to entirely eliminate it. However, beware of the risk of making your controls so convoluted 
that you disappear up your own environment.

Some thoughts on controls: A single point of contact at the third-party company begins to reduce the risk of 
impersonation - only receive calls from an authorised person at the third-party (allowing a backup, of course, for when 
he/she isn't available to make the call). 

When someone calls from the third-party, call them back at the third-party's switchboard and ask to be connected to 
them. 

If you have a written contract with the third-party and that contract has some kind of identifier on it (contract or PO 
number), ask for that.

You can go on from here yourself, I'm sure. The key here is simple, easily-established rules that give you some 
assurance that you are talking to the person you think you're talking to.

Good Luck

John A Blackley