Fake Graham Cluley tries to steal Sophos staff data

I woke up this morning, checked my email, and found out that I had an impersonator.

This was a very different situation from a couple of weeks ago when Greg Day of McAfee “stole” my identity. I opened my email today to discover that overnight some clown has been ringing up Sophos staff in our Singapore, Hong Kong and Phillippines offices claiming to be me.

Apparently the caller (who has a Hong Kong accent) says that he is in Hong Kong on the way to Japan. He goes on to claim that his laptop is causing problems and so can a helpful person at Sophos please send various pieces of personal information about our employees to him. A classic piece of social engineering.

Kudos to the guys and girls in our Asian offices for keeping their wits about them, and realising that not only am I not in their neck of the woods at the moment, but also that the guy sounded nothing like me!

But this bizarre story leads to a more interesting question. Would your company be as alert to the risks of this kind of data theft?

What steps do you take to authenticate that someone is who they say they are? Some of these staff in Sophos Asia Pacific may never have met me, but they might feel obliged – because obviously they are HUGE fans of the Clu-blog 🙂 – to help me out in my moment of alleged hardware failure.

If your staff aren’t aware of security risks, and haven’t been trained about the importance of securing corporate information, then they could all too easily fall into the trap of handing information over to a data thief believing they are just “being helpful”.

Update: Thanks to reader JackP who suggested I should have titled this blog post “Hong Kong Phoney”. Bah! Wish I had thought of that..