Usually I won't even click on an eMail unless it's from somebody I know and isn't obviously spam. You probably shouldn't open an eMail from someone outside your organization if you weren't previously expecting it. Sometimes though the eMail will appear to be a legitimate communication from somebody you already do business with. Even then, I take special precautions. Never ever click on a link within such an eMail, and don't download images. Rather, save the eMail as an HTML file to disk, and then open it in a simple text editor. Now after verifying the link address corresponds to what you are expecting, manually copy and paste the relevant parts of the link into a browser. Be especially careful of intentional spoofs that may have been injected into the spelling.
Avoiding phish eMails tend to be less taxing than a phishing phone call. A lot of this is due to the immediacy of talking to somebody who is expecting a verbal response. I have a twofold defense to this: first, be the one who is controlling the path of the conversation. Second, work from a prepared script. Don't answer any questions unless the information you are providing helps move the conversation in the direction you wish it to resolve. Use courteous deferral and the handy excuse of "sorry but our vendor security operating procedures require me to first find out...".
I could post the exact script that I've found helpful here, but having such a document in the public domain would defeat its purpose as it encourages "social engineering" to bypass its safeguards. Rather, I will describe its contents in general terms, so you can write your own prepackaged talk track.
The primary purpose of your script should be to positively validate the identity of the caller. You will need to gather enough information about the caller to independently verify who he is and who he works for. Besides his full name, other useful factotums are:
- work eMail address
- private (not work) cell phone number
- name of employer
- city where his employer is located
- department he works for
- name of his supervisor
- how they obtained your phone number
Once you've obtained the above information you may ask the caller how you can help them. At this point you don't want to provide any useful information, but you do want to gauge the nature and the scope of their inquiry. Reply with most of the inquiries with "I can get that for you." Then you need to perform a "backflip" -- ask the caller to hold on, put the phone down briefly, take a slow breath to calm and center yourself, then tell the caller you will need to call them back as something urgent has arisen. Ask for the best time to call, thank them for calling, and hang up.
Now is when the actual work starts. If you are indeed planning to return this call you will need to go through the effort to validate who they are and who they work for. Depending on how suspicious you are, some good avenues to explore include:
- call the main switchboard of their employer and ask for them by name
- find their profile on LinkedIn to verify it shows the same employer
- use a web service to text a verification code to their cell phone
- call their supervisor and ask for verification of employment
- send a message to his eMail address asking for a reply, then verify the routing information in the reply's header
