Hampering the Human Hacker and the Threat of Social
Engineering
Using automation to protect your customers and your business
Voxeo Corporation
Smashwords Edition
Copyright 2012 Voxeo Corporation
Smashwords Edition, License Notes
Thank you for downloading this free ebook. You are welcome to share it with your
friends. This book may be reproduced, copied and distributed for non-commercial
purposes, provided the book remains in its complete original form.
Table of Contents
Social Engineering – What is it?
Social Engineering Tactics and Tools – Using Deception to Break In
Preventing Social Engineering Attacks – The Best Breach is No Breach
at All
About Voxeo
Introduction
2011 was a banner year for security breaches that resulted in
compromised customer records. According to the 2012 Data Breach
Investigations Report issued by the Verizon RISK Team there were 174
million compromised records in 2011, an increase of more than 4,000
percent from 2010.
Thirty-seven percent, or more than 55 million of those compromised
records, were accessed using social engineering tactics - the highest
amount and percentage of total records in the history of the Data
Breach Investigations Report. And, as the report also details, 97
percent of those attacks were avoidable. Victims were chosen simply
because it was easy to break in.
Clearly, companies of all sizes need to understand the deceptive
practices that social engineers use, and how to protect themselves and
their customers from attacks. In the following pages we’ll take a look

Social engineering attacks are based on one thing – information.
Without information about your customers, social engineers aren’t able
to use the elicitation and pretexting tactics that are described below.
This information is relatively simple to obtain. A good social engineer
can spend a few hours researching a target online and have enough
information to make even the most seasoned contact center agent
believe the social engineer is someone they are not. The increasing
amount of personal information that’s available using search engines,
Whois databases, social media (Facebook, LinkedIn, MySpace, Twitter,
etc.), blogs, wikis, and photo sharing sites makes it very simple for
them to find or determine:
• Email addresses
• Telephone numbers
• Addresses
• Employment
• Hobbies and activities
• The names of pets
• The physical location on an individual (using GPS data from
photos posted on Facebook and Twitter)
Even social security numbers are available from some paid research
services.
Once the social engineer has relevant information, they use it in these
highly effective human hacking tactics:
• Elicitation
• Pretexting
Elicitation
The National Security Agency of the United States Government defines
elicitation as “the subtle extraction of information during an apparently
normal and innocent conversation”. Social engineers use the
information they’ve gathered to get their target to first trust them.

compromised.
Pretexters also use telephone-based tools like ANI (automatic number
identification) Spoofing to enhance the new identity. In ANI Spoofing,
the pretexter changes the number that appears on the called party’s
phone display from his or her own number to that of a:
• Customer
• Remote office
• Sister company
• Company executive
• Vendor
Basically, pretexters can change their number to anyone else’s. To do
that, they use Caller ID Spoofing technologies that are cheap and easy
to acquire. Among the most popular are:
• SpoofCard – Using a SpoofCard, the pretexter merely calls an 800
number provided on the card, enters a PIN, the number for the
Caller ID display, and the number to call. Newer SpoofCard
features allow pretexters to record conversations and change
their voice to be male or female.
• SpoofApp – SpoofApp is SpoofCard for the cell phone. However,
instead of calling an 800 number, the pretexter enters the
number to call and the number to display and SpoofApp does the
rest.
• Asterisk Servers – A spare computer, a VoIP service, and free
Asterisk software is all that is required for pretexters to create
their own SpoofCard-like capability. This is an attractive option
to pretexters in that minutes never run out and they can’t be cut
off by a service provider.
Social engineering attacks are powerful because they take advantage
of our very human desire to be polite and helpful. To counteract that
power, companies need a combination of practices, processes,

environment remains secure through regular audits. PCI
compliant hosting is a simple way to insure the integrity and cost
effectiveness of a company’s customer care and self-service
application environment.
3. Technology – Stopping elicitation or pretexting attacks before they
reach a human being is the best method of prevention. But, when that
isn’t possible, stopping these attacks immediately is essential. Among
the most effective tools in social engineering attack prevention are:
• Caller ID/Automatic Number Identification (ANI) Detection – Services
like Voxeo’s ANI Spoof Detector analyze the phone number of
incoming calls to determine if the Caller ID/ANI is spoofed. If the
number has been spoofed, the call is rejected and never reaches
the called party. The ANI Spoof Detector stops pretext attacks
before they can reach a contact center agent or employee.
• Location Intelligence – Some IVR (Interactive voice response)
systems include location-based intelligence. This allows
companies to match a caller’s number to their current location.
If, for example, a customer were to call from a geographic
location far from their own city or state, a contact center agent
could be prompted to ask more stringent security questions.
Using location-based intelligence can aid companies in stopping
a pretext attack almost immediately.
• Voice Biometrics – Voice biometrics or voice authentication makes
it possible for companies to stop pretext or elicitation attacks
before the attacker can use deception tactics on an employee or
contact center agent. In the past, this technology was relatively
expensive and difficult to deploy. However, newer service
approaches, like those from Voxeo, make it a simple and cost-
effective way for companies of all sizes to reliably authenticate
customer identities.

About Voxeo
Voxeo powers mobile self-service, including voice, text, mobile web,
smartphone and social interactions. The solution enables companies
to cost-effectively support the communication channels customers
prefer for receiving notifications, accessing information, performing
transactions, sharing opinions, and connecting to the right people
when needed.
With open standards and a unique, “design once, deploy anywhere”
architecture, Voxeo reduces the cost and effort of delivering great
customer service anywhere, on any device. The result is a faster
return on investment and a significantly lower total cost of ownership.
About Voxeo Security Suite
Voxeo Security Suite includes ANI spoof detection, voice biometrics
(premises or hosted), location-based services and Level 1 PCI-DSS
hosting to help companies combat the increasing threat of social
engineering and fraud. The Security-as-a-Service solution is helping
companies quickly implement multi-factor authentication to reduce
risk, streamline interactions and enhance the overall customer
experience.
To learn more about Voxeo’s multi-factor authentication and how it can
help prevent social engineering attacks at your company, improve the
customer experience and lower costs, contact Voxeo at
or 407.418.1800.
Why Voxeo?
Communications leadership in every form – voice, SMS, mobile, social
media and more
Used by more than 250,000 developers, 45,000 companies and half
the Fortune 100
Open standards-based customer self-service solutions
Cost effective Security-as-a-Service options for ANI spoof detection,