The social-engineering attack someone tried on me last week was pretty crude \u2013 to me. It was probably effective on someone else. That\u2019s what has me worried.\n\tThis one was a phone call but it could have just as easily been an email or a website. The recorded voice said, \u201cWe\u2019re calling from XXXX Bank with security concerns about your XXXX card. Please push 1 for more information.\u201d I hung up and found out later from an article in the local newspaper that the next step would have been asking me to enter account information and all that other stuff I don\u2019t want anyone to have.\n\tThis was the first brush, that I\u2019m aware of, with a social engineering attack but I\u2019m clearly one of the lucky ones. According to a new study, 48 percent of businesses surveyed had been victims of social engineering and had experienced 25 or more attacks in the past two years. The report, by security firm Check Point Software Technologies, said successful attacks cost victims an average of $25,000 - $100,000 per incident.\n\t[Also see\u00a0Social engineering: The basics]\n\tThe thing that got me to hang up immediately was that I\u2019m not a customer of that bank nor do I happen to have the card they were asking about. Only later did I remember my father-in-law telling me he had gotten a similar call the week before. If I\u2019d had been a customer of that bank, would I have remembered that or would I have fallen for it?\n\tThe fact that it was a phone call was also working against the crooks in this case. It is hard to make a phone call look or sound official. That\u2019s almost certainly why the most common attack vectors for these attacks are\u00a0phishing emails (47 percent of incidents, according to the study) and social networking sites\u00a0(39 percent).\n\tWe know the criminals were using a fairly generic set of phone numbers because it hit me, someone outside of their target audience. But that was a matter of dumb luck or dumb crooks. Pinpointing the right group is no harder for them than it is for an online marketer. Just as with the marketers, the more specific information these people use the more likely they are to \u201cmake their sale.\u201d\n\t\u00a0[Also see\u00a09 dirty tricks: Social engineer's favorite pick-up lines]\n\tNow I know that I pay more attention to security stuff than your average bear. So it\u2019s pretty hard to get me to cough up info doing something like this \u2013 I hope. This has me wondering how much information would someone have to have for me to believe them? Whatever that amount is (and I do check all requests any which way I can) it is far more than it would take to gull most people.\n\tFor a long time I\u2019ve worried about my elderly parents falling for something like this (though clearly my father-in-law is doing OK). I\u2019ve talked to them about assuming any email or call is a con and only giving information if they can verify the request through another channel. And how to find that other channel? Now I think I need to have that talk with a lot of other people, including a reminder talk with myself.\n\tBut how do you do it with an entire organization? It's hard enough getting them to even use a strong password.