I did a little Social Engineering pretext calling reconnaissance work recently to see if I could get some general information (what time do employees go home for the day, locations, urban/rural areas, wire request instructions, etc.). I posed as a customer and all the employees I talked to were very helpful and would even give me more information than I asked for. I was expecting this because of that small town, community banking environment. When I got more comfortable and started asking for sensitive information, I was challenged with authentication questions, which kind of surprised me. I fumbled around and got off the phone quickly. The person I was talking to was very friendly, yet was going through proper procedures to keep the bank secure.
When we do these social engineering reviews and present the bank with our findings I am nervous about scaring employees into being ‘too secure’ (if that is possible). I would love for them to run through all their customer identification procedures before giving out any information, but on the other hand I want them to keep that community bank feel. I guess I just don’t want to scare employees into being robots when working with customers. That would destroy the core competencies of some of the banks we work with. It was nice to talk to someone that really wanted to help me, but went through the right steps to do so. The point of the story: Security and community banking is possible in the same environment, I’ve seen it.