Social Engineering Attempt
We had a strange call here two nights ago.
A man called in and said “My name is Mr. X, I’m the CEO of “Company Y” and I’m a reseller of yours based in Europe. I am at a pay phone in Florida and just got robbed. I had all my money, ID, phone and passport taken, my office is closed right now and I couldn’t think of anyone else to call for help.”
We thought briefly about what to do. We knew the company, checked their web site and Mr. X’s name checked out. So, we decided to help find him a hotel room for the night and try to front him money to take the bus to the appropriate consulate the next day.
We made a hotel reservation through our travel agent and phoned Mr. X back at the pay phone to provide the address. Since hotels normally require ID, the hotel agreed to use Mr. X’s photo from the web site as identification. Mr. X hung up and was to start walking to the hotel.
Unfortunately we discovered too late that the hotel was actually quite some distance from where Mr. X was located. But, we now had no way to reach him. The hotel even let one of their people leave armed with Mr. X’s photograph and went out to try and find him.
While this was going on we sent a message to Mr. X’s company outlining what was going on and where he was supposed to spend the night so they could reach him and provide additional assistance the next morning.
We didn’t hear anything more from Mr. X that evening despite office phones being forwarded to mobile phones.
The next morning we received an email from the real Mr. X stating basically “thank you for your concern and assistance but I’m quite well and have been here in Europe all week.”
So, it looks like this whole episode was a scam. The person was likely trying to get a credit card number from us but since we made the arrangements with the hotel directly, the person didn’t get anything out of us.
We’ve forwarded the “pay phone” number that was used and description of events to local authorities in South Carolina where the number appears to be based from the results of a quick Google search.
This type of social engineering is not uncommon but this particular case sure seems like it was more sophisticated (figuring out the F5-reseller relationship, picking Europe so that they were closed for the evening, etc.) despite all this information being available on the web, piecing everything together required more effort on the scammer’s part than a typical case (although I'm by no means an expert on this topic!). Perhaps getting a business credit card number with a higher limit is worth the effort on the bad guy's part.
Since we're in the technology market, we tend to focus on what attempts are made over networks to take advantage of companies. We can't forget that we need to be vigilant about low tech social engineering efforts like this one.