Pre-Texting & Telephone Scams

Let's talk about pretexting and telephone scams. First in person social engineering, the aforementioned pretexting. An attacker tends to be someone who is somewhere they don't belong. In effect, they have a pretext to be there. There are numerous examples in films. Think, for example of Luke and Han Solo in the Death Star. They're dressed up like storm troopers. They have a pretext to be there. They're not really rebel scum. So an attacker might pretend to work, say with your IT provider and, mind you, they'll have the shirt with the logo and they'll look legit. But if you don't know them, call the office just to be sure. A related concept is something called tailgating, which uses your common courtesy against you. In a very small office. This might not be an issue, but let's say you're in a building where you need a card key to get in and someone who looks legitimate, looks like they belong there, fishing around, can't find their key and of course look, you're polite, "okay, yeah, come on in." Believe it or not, that could be an attacker because it will never be someone who looks out of place. It could even be, hopefully not, but it could even be a recently terminated ex-employee who pretends to have forgotten his or her ID and "poof," they've snuck into the office. And if their intent isn't good, it might not turn out so well. Now there's also phone calls. These are sometimes referred to as vishing or voice phishing. Typically they're seeking access and/or information or they are reconnaissance for a subsequent attack against your office. Like if they're trying to do say a BEC scam, which we talked about in an earlier segment. If they do a phone call first, they can get a lot of the information which they then put into that particular BEC scam to make it much more effective and easier to trick you.


Now another concept is something called a tech support call. You've probably come across this. This is where scammers will try and trick you into paying to fix a "problem" they discover. They can also do it, like I say, pretending to be your IT people like, "yeah, if you let us log in, we'll fix the problem." If it's someone you don't know contacting you directly and you haven't set up the call, don't ever let them log into your system remotely. That's always a danger. For example, Microsoft, Apple, etc., they're never ever going to call you unsolicited about a problem on your system. On a related note, the IRS will never ever call you unsolicited over alleged back taxes. That's just not how they do that. And again, it's a scam. So another one you can run across something called an overdue bill call.


This will typically come with a threat to turn off your power if you don't take immediate action or whatever it is they're allegedly claiming wasn't done. There's a specific instance of this in California in early 2018 where a dental practice reported receiving multiple calls like this, threatening to turn off the office's power if they didn't pay the obviously fake utility bill right away. And if the office staff isn't trained to know this could happen and be a scam, they're going to be in a panic. Obviously can't turn off your power. You have patients to see. A somewhat related concept is dealing with what are called robocalls. These are these automated phone calls. We all see them. They're annoying. There's a service called Nomorobo - again, I'll put a link in the notes - which actually blocks those calls. Like anything else, it's not going to get absolutely everything, but it gets a lot of them. And as I understand it, for a landline, it's free. I don't think it's terribly expensive for mobile phones either, but landlines are obviously free and it's pretty effective.

In-person social engineering:

  • Pretexting involves an attacker pretending to be someone they aren’t to go someplace they shouldn’t be
  • Tailgating uses your common courtesy against you to let someone into a place they aren’t supposed to be

What you can do to stop In-person social engineering?

  • Have a visitor process that includes escorting all visitors, including vendors
  • Verify all visitors


  • Phone-based social engineering attack, that can include:
    • Attempts to get information to be used in subsequent attacks against your office
    • “Tech support” calls in which scammers try to trick you into paying to fix a “problem” they “discover”
    • “Overdue bill” calls
  • This type of attack typically comes with a threat if you don’t take immediate action

What can you do to stop vishing attacks?

  • Do not give out PHI or financial information without verification