Your Personal MFA for Real Life
Protect yourself against scam calls, texts, and DMs in real time. Free to use and supported by businesses that make your private security a priority.
Watch Now
Ask
Confirm
Verified
Give yourself peace of mind against scam calls, texts, and impersonators with ChallengeWord.
#MFA4IRL
We use Multi-Factor Authentication online, why not in real life too?
ChallengeWord is a quick and secure word, synchronized between you and trusted businesses to help you avoid scammers.
#MFA4IRL
Stop & Report Scam Calls, Texts, and DMs in Real Time.
Have you ever received a call, text or DM from a business you have an account with but something just feels off? You may not want to question them because what if you're wrong? Simply ask them for your ChallengeWord. Either they know it or they don't. If they are an imposter, report the communication to alert the business of the scam. The more you use ChallengeWord the more effective it becomes in stopping scammers.
01.
Smishing
Smishing is a form of phishing attack where individuals are tricked into sharing sensitive information or clicking malicious links through deceptive SMS or text messages.
02.
Vishing
Vishing is a type of phishing attack where fraudsters use voice calls to deceive individuals into providing sensitive information or taking dangerous actions on a corporate device.
03.
Social Media
Social media phishing is a tactic where attackers use deceptive social media profiles or messages to trick individuals into revealing sensitive information or clicking malicious links.
04.
Phyisical
Physical or in-person social engineering involves manipulating individuals directly through face-to-face interactions to gain unauthorized access to information, systems, or facilities.
01. Smishing
Attackers use deceptive texts to trick individuals into sharing sensitive information or clicking on malicious links.
Scenario
Jodie was working remotely on a Wednesday morning, engrossed in her latest project, when her phone buzzed with a new message. Glancing at the notification, she saw that it was seemingly from her company's IT department. The message read: "URGENT: Critical system update required. Click the link ASAP and enter your credentials to prevent your computer from shutting down."
Jodie's heart rate quickened. The last thing she needed was a computer issue, especially with an important deadline looming. However, something about the message felt off to her. Why would the IT department contact her through a text message instead of the usual email or company chat? And the urgency in the message felt slightly exaggerated.
Then she remembered a company-wide memo she had read a few weeks ago about heightened cybersecurity measures. The memo had introduced a new protocol for situations like this: a challenge word system. The challenge word was a secret, rotating password known only to employees and was meant to verify the authenticity of internal communications.
Deciding to play it safe, Jodie replied to the text: "Can you provide today's challenge word?"
The ensuing silence was telling. No response came. Had the sender been genuine IT personnel, they would've been able to promptly provide the correct challenge word. Realizing that she had likely just dodged a smishing attempt, Jodie immediately reported the suspicious message to her company's actual IT department. She felt relieved, having successfully navigated the situation by relying on company protocols.
Lessons Learned
Lessons learned from Jodie's experience:
-
Always Be Skeptical: Even if a message appears to come from a trusted source, it's crucial to approach it with caution, especially if it involves urgent actions or requests for sensitive information.
-
Know Your Protocols: Awareness and understanding of company-specific security protocols can be the difference between falling for a scam and deflecting it. Jodie's knowledge of the challenge word system allowed her to verify the legitimacy of the message.
-
Use Official Channels: When in doubt, reach out through known and official communication channels. In this instance, Jodie could have also contacted her IT department directly through a known email or phone number to confirm the message's validity.
-
Avoid Taking Immediate Action: Phishing attempts often prey on human emotions, especially urgency. Taking a moment to pause and reflect on the situation can often reveal inconsistencies or red flags in suspicious communications.
-
Report Suspicious Activity: Always report any potential phishing attempts to the appropriate department or team in your organization. This not only ensures that potential threats are addressed but also helps the company update and refine its security measures.
-
Stay Updated on Company Security Measures: Regularly attending or reviewing company-provided training sessions on cybersecurity can arm employees with the knowledge and tools needed to combat various phishing attempts.
By remembering these lessons, employees can create a more secure and vigilant work environment, reducing the risk of cyber threats and protecting valuable data and resources.
02. Vishing
These malicious calls can appear authentic, leveraging caller ID spoofing and pre-recorded messages to gain the victim's trust.
Scenario
Eric was in the middle of his lunch break, enjoying a sandwich at a nearby café, when his phone buzzed to life. The caller ID read "TechSolutions Corp.", which made Eric answer the call without hesitation. A smooth voice on the other end introduced herself, "Hello Eric, this is Diana from HR."
"Hi Diana," Eric replied, a bit surprised since he wasn't expecting any calls from HR.
Diana sounded slightly stressed as she began, "We're facing a bit of a hiccup here. We're doing an immediate audit of our employee portal due to some discrepancies. To expedite the process, I need you to verify your login credentials. Could you provide me with your password for a quick verification?"
Eric immediately felt uneasy. He'd attended enough cybersecurity seminars to know that HR shouldn't, under any circumstance, ask for passwords over the phone. However, the call did appear to be coming from the company's official line.
Then, he remembered the ChallengeWord system. It was a security protocol the company had recently implemented for such scenarios, providing employees with a tool to validate the identity of internal callers.
Staying calm, Eric responded, "Of course, Diana. But first, could you provide me with today's ChallengeWord?"
A pause stretched over the line, a little too long for comfort. When Diana finally spoke, her tone had lost its previous smoothness. "Challenge... word? I'm not sure what you mean. This is just a standard procedure, Eric."
Bingo. Eric's suspicions were confirmed. If Diana were truly from HR, she would have known about the ChallengeWord system instantly. Realizing he was dealing with a social engineer attempting a vishing scam, Eric replied, "I'll get in touch with HR directly and sort this out. Thank you."
Eric ended the call and immediately reported the incident to the company's cybersecurity team. It was a close call, but thanks to the ChallengeWord system and Eric's vigilance, the visher's attempt was thwarted.
Lessons Learned
Lessons learned from Eric's experience:
-
Always Be Cautious: Even if a call or message appears to come from a trusted source or familiar number, approach it with a healthy dose of skepticism, especially if it involves sharing sensitive information.
-
Employ Validation Protocols: Systems like the ChallengeWord are invaluable in situations where identity needs to be confirmed. Employees should be familiar with and utilize such protocols whenever they're unsure.
-
Never Share Sensitive Information Over the Phone: No matter how genuine the caller sounds, it's a best practice not to share personal or sensitive details, such as passwords, over the phone.
-
Trust Your Instincts: If something feels off, it probably is. Eric's immediate discomfort with Diana's request was his first clue that something was amiss.
-
Stay Informed: Regular training or updates on company security measures can help employees be better prepared for potential scams or security threats.
-
Report Suspicious Activity Immediately: It's vital to inform the appropriate team or department about potential security breaches. This allows the company to take necessary actions, possibly preventing future attempts.
-
Know the Proper Channels: If in doubt, hang up and contact the department or person directly using a known and trusted method, ensuring you're speaking with the genuine party.
By internalizing these lessons, employees can better safeguard themselves and their organizations against ever-evolving cyber threats.
03. Social Media
By masquerading as trusted entities or individuals on platforms like Facebook, Twitter, or LinkedIn, attackers exploit the trust and familiarity users have with these networks.
Scenario
Alex was taking a short break, scrolling through his feed on InstaShare, his favorite social media platform, when a direct message notification popped up. The username, "DataCorp_Official," caught his attention immediately — it was the name of the company he worked for. Curious, he tapped on the message.
"Hello Alex," the message read. "This is Jordan from the IT department. We're running a quick audit on the company's remote access system. To validate and sync your account, can you share your login credentials?"
Now, Alex knew that sharing credentials was a strict no-no, but the account appeared genuine, with company logo and posts that seemed official. He wondered if it was a new way of doing things. However, a niggling doubt persisted.
Recalling the company's ChallengeWord system, he decided to employ it as a litmus test for the situation. He replied, "Hi Jordan, I'd be happy to help. But first, can you provide me with today's ChallengeWord?"
Several minutes ticked by with no reply. Finally, the response came, "I don't think that's necessary. This is just a routine check. We need your cooperation to ensure system security."
That was all the confirmation Alex needed. If this was genuinely the IT department of DataCorp, they would've been well-versed with the ChallengeWord protocol. Realizing he was facing a sophisticated phishing attempt via social media, Alex decided to play it safe.
"I will contact the IT department directly and sort this out. Thanks," he responded, then immediately took screenshots and reported the account to both InstaShare for impersonation and DataCorp's cybersecurity team.
This incident served as a stark reminder for Alex that phishing attempts are no longer limited to just emails; social media had become a fertile ground for such cyber threats.
Lessons Learned
Lessons learned from Alex's experience:
-
Stay Vigilant Across Platforms: Cybersecurity threats aren't limited to emails or calls. With the rise of social media, cybercriminals are branching out to platforms where users might feel more relaxed and less guarded.
-
Always Question Unexpected Requests: Even if a message seems to come from a trusted source or familiar account, it's important to question unexpected or unusual requests, especially if they ask for sensitive information.
-
Use Validation Mechanisms: Systems like the ChallengeWord protocol offer a direct and effective way to verify the authenticity of a contact, especially in suspicious circumstances.
-
Avoid Sharing Credentials: Under no circumstances should you share login credentials or other sensitive information over social media, even if the request appears to be from an official or trusted source.
-
Trust Your Gut: If something feels off, even slightly, take a step back and evaluate the situation. Your instincts can often alert you to potential threats.
-
Stay Updated on Company Protocols: Regularly attending or reviewing company-provided training sessions on cybersecurity can arm employees with the knowledge and tools needed to identify and react to various phishing attempts.
-
Report Suspicious Interactions: Always report any suspicious activity or interaction to both the social media platform and your company's cybersecurity department. This helps address potential threats and strengthens overall security.
By heeding these lessons, individuals can navigate the digital landscape, particularly social media, with a heightened sense of awareness and caution, protecting themselves and their organizations from potential cyber threats.
04. Physical / In-Person
Attackers exploit human vulnerabilities, such as trust or lack of vigilance, using techniques like tailgating or posing as authorized personnel to achieve their objectives.
Scenario
At the bustling headquarters of DataGuard Corp., a young man named Ethan stood by the entrance holding a tray of coffees, looking slightly frazzled. Dressed in a blue polo with a 'TechHelp' logo — a well-known IT vendor that often worked with DataGuard — he approached an employee entering the building.
"Excuse me," he said, adjusting his grip on the coffee tray. "I was here for an IT routine check, but I seem to have misplaced my access card. Can you help me in? I'm running late and these coffees are for the meeting."
The employee, seeing the familiar logo and the coffees, empathized with Ethan's predicament and decided to hold the door open for him. Unbeknownst to her, Ethan wasn't from 'TechHelp.' He was a hacker, employing physical social engineering to gain unauthorized access to DataGuard's offices, seeking to plug in a malicious USB device into the company's network.
As Ethan navigated the corridors of DataGuard Corp., he aimed to locate an unmanned workstation where he could enact his plan. As he attempted to blend in, Sarah, a senior manager known for her meticulous attention to company protocols, spotted him. Recognizing that he wasn't a familiar face and having been alerted in the past about potential security breaches, she approached him.
"Hello," Sarah began, her tone cordial yet inquisitive. "You seem new here. Are you with 'TechHelp'?"
Ethan, maintaining his guise, nodded. "Yes, I'm here for a routine check. Just finding my bearings."
Sarah remembered the recently implemented protocol for such situations – a daily challenge word, intended to verify the authenticity of external partners or consultants. "Great," she responded. "Can you tell me today's challenge word?"
Ethan hesitated. He hadn't anticipated this, and his pause was just a second too long. Sarah's eyebrows raised slightly, her instincts now on high alert. She had effectively used the simplest of company safeguards to corner a potential intruder.
Lessons Learned
Lessons learned from Ethan's experience:
-
Physical Presence Isn’t Proof: Just because someone is physically present in a seemingly secure area doesn't mean they belong there. Always verify the identity of unfamiliar individuals.
-
Know Security Protocols: Awareness of protocols, like the challenge word system, can provide an additional layer of security. It allows employees to quickly validate someone's claim of being a colleague or a trusted visitor.
-
Don’t Rely Solely on Electronic Security: Even the best electronic security systems can be bypassed. Human judgment and awareness are crucial elements of a comprehensive security approach.
-
Be Wary of Pressure Tactics: Social engineers often employ tactics designed to rush or pressure their targets. If someone is pushing for urgent information or trying to rush you, it's a red flag.
-
Report Suspicious Encounters: Any suspicious encounter, even if no information was compromised, should be reported. This helps to identify potential vulnerabilities and can prevent future security breaches.
-
Trust Your Instincts: If something feels off or uncomfortable, trust your feelings. It's always better to be cautious and later find out everything is okay than to ignore your instincts and face a security breach.
-
Stay Informed and Educate Colleagues: Regular training sessions on security protocols and sharing experiences of attempted breaches can help everyone in the organization be better prepared.
-
Encourage a Culture of Security: Everyone should feel responsible for the company's security. Encourage an environment where employees are comfortable challenging unfamiliar faces or asking for identification without fear of being impolite.
By understanding and implementing these lessons, businesses can fortify themselves against physical social engineering attempts, ensuring the safety of both their assets and personnel.