Social Security Administration

SYSTEMS SECURITY
BULLETIN

March 10, 2000

SECURITY REMINDER – SOCIAL ENGINEERING

SCAMS AND TRICKS TO OBTAIN INFORMATION FROM YOU

There have been instances in which SSA staff were "tricked’ into disclosing sensitive information. The common term for such tricks or scams is "Social Engineering". This is because the person attempting to get the information plays upon the good or helpful nature of the unknowing employee. They may flatter you or come across as really needing your help or attempt to persuade you that they are performing a service for you.

Sometimes they will pretend to be a fellow employee who needs access because their "system is down". They may try to engage you in conversation and may even know and mention a co-worker’s name in an effort to establish a feeling of mutual helpfulness. On other occasions, they may assume an authority persona to trick you into supplying information.

In one instance, the "trick" was accomplished by an individual posing as a network engineer and troubleshooter who needed a specific "ID" and password to verify that a problem on the network was fixed and would not reoccur. This individual was able to persuade an employee to provide an "ID" and password that had the access rights which the requestor desired. In other instances, callers have identified themselves as staffers from congressional offices or local agencies alleging attempts to serve a constituent. In actuality, some of these individuals were part of a group obtaining this information for illegal purposes.

To effectively combat these bogus/trick calls and social engineering scams:

There is never a good reason to give your password to anyone. If someone identifies themselves to you as a support person or user who needs to borrow your "ID" and password, try to identify them but do not give them the requested information. Ask for a number where you can call them back and notify your security officer immediately.

Office of Information Systems Security
SSA Pub. No. 31-041