Protecting Your Retail Business From Social Engineering Scams
Social engineering scams involve more that just clicking on email website links or visiting infected websites.
My first work related experience with a social engineering scammer happened decades ago, during my tenure as a Retail Department Store Manager.
One morning just as the lunch rush crowd was coming into the store, another manager and I were discussing the sales floor placement of some Television and Stereo equipment for an upcoming sale. As we were talking, out of the corner of my eye, I noticed an individual pushing a hand-truck walk up to a stack of TV boxes, lift them up, and take off towards the entrance of the store.
My first thoughts and words were, "Who the hell was that", as both the other manager, and I took off after the guy, stopping him about halfway to the main entrance door. He wasn’t any employee that I new, nor do I recollect having seen him before…
This individual was clean-cut, dressed in a service uniform, complete with a fictitious embroidered name tag, He had steel-toed work boots, and had a pen over one ear, was carrying a professional clipboard, complete with bogus delivery and pick-up receipts. His hand truck was an industrial type, that was typical of most commercial delivery drivers at the time.
As the police arrived, this individual claimed that he had a valid pick-up order, however the paperwork that he had was for another company, and it was for appliances, not TV’s.
Obviously, he was trying to take advantage of the fact that because he looked, dressed, and acted the part, that no one would question is actions. Even to this day, I wonder exactly how many times that this criminal had tried this elsewhere and actually pulled it off successfully in the past. We found out later that this same individual may have been tied to dozens of known similar thefts or theft attempts.
Similarly, with computer systems, these same techniques are being used by individuals posing as MIS professionals (i.e. the Computer Guy) and are often not challenged by staff people who have never seen the technician before. Generally, this is because they assume he is legitimate because he looks like he knows what he is doing, and so he must belong there.
There have been situations in the field where these scammer’s have installed malware, keystroke loggers, and Credit Card skimmers on PC’s and Registers. In some cases they have been able to obtain managerial and administrative computer passwords from the store staff.
One of the easiest ways to avoid this sort of scam is to train your staff respectfully challenge anyone coming into your store, on the premise of doing technical work. Minimally, the person coming into your establishment to do work should be able to:
- State who they are, who they are there to see, and why they are there.
- Produce contact names and phone numbers of the people in your organization that authorized the work to be done.
- Produce a business card with their company and contact information, along with a valid photo ID that proves that they are who they say the are.
Anyone who is legitimate should have no problem with complying with any of the above.
Additionally, is is good practice to inform store managers and other staff whenever expected work is to be done ahead to the technician actually showing up on-site.