Proofpoint: Security, Compliance and the Cloud

We regularly warn consumers and enterprises about the dangers of email-based phishing attacks and provide tips for staying safe online, but it's easy to forget that phishing emails are really just an evolution of the classic confidence scam. The social engineering techniques that are behind every sort of phishing scam (whether it's a Nigerian "419" scam or a more sophisticated spoof aimed at online banking users) have analogs in the real world.

A friend in the travel and tourism industry told me about an identity theft scam that hit one of their hotels—and a hotel guest—in the last couple of days:

During the night shift, the hotel received a phone call asking for "Mr. Jones." The night auditor working the font desk transferred the call to a room where one "Mr. Jones" was, in fact, staying.

When the guest answered the call, the caller identified himself as the night auditor and explained that the hotel was having trouble with the guest's credit card... and could he please verify the card number, expiration date, etc.

The next day, Mr. Jones was contacted by his credit card company because they had seen suspicious use of the card -- to the tune of several thousand dollars.

Now, if you received an email like this, you wouldn't answer it, of course. But I wonder how many of us—awakened in the middle of the night—might not bat an eye at providing that info over the phone.

The hotel has since adopted stricter phone screening measures to avoid this type of thing in the future, but it's always good, as a consumer, to be reminded of how scams work... and that, really, you can't be too careful when it comes to protecting personal information. Security begins with education.