"'Phone Phishing', a method of stealing confidential information over telephone, is on a steady rise and awareness is the key to tackle it, according to security experts here. The most prevalent method of gaining access to personal data is the simple process of picking up a phone and calling a customer service call centre of a service provider, they said. Customer service agents are trained to "take care" of callers and often they are more than willing to help." So says a piece in India's Economic Times. I must say that, in my experience, security aware customer service agents (those first two words are vital!) can be one of the information security manager's strongest allies in the battle against social engineers. Through security awareness/training/education, coupled with proper management support and sensible policies, guidelines and procedures, IT Help/Service Desk workers should not only be permitted to refuse to service dubious callers, they should be actively encouraged to be careful.
More social engineering resources