Verify a user request

Why would I need to verify a user?

You want to prevent someone that is pretending to be someone they are not from tricking you into making a change that helps them attack your company. For example, someone might want to trick you into resetting a password or disabling Multi-Factor Authentication to get access to an account.

How can this happen?

This trickery is sometimes called “social engineering” and often happens by either email, phone call, or SMS messages. It works because it is often possible for someone to fake the email address or phone number where the call or message is coming from.

No one expects to receive a phone call from a criminal pretending to be a colleague, which is what makes this so effective - especially when they are pretending to be someone senior and acting angry and demanding (as senior people sometimes do!)

What should I trust?

You can generally trust a request when:

  • You know the person and could identify them; face-to-face, by their voice on the phone, or through their face over a video chat.

  • They messaged you using an internal-only chat platform such as a company Slack, Google Chat, or Microsoft Teams account.

  • Secure instant message system (Signal, Telegram, Whatsapp) if you already have their number in your phone, or you can check their phone number against the company phone directory.

  • They opened a ticket on a support system (unless it’s possible to open support tickets on your system by sending an email to the system).

You should not trust requests that come from:

  • Email - keep in mind attackers can often send fake emails that look like they come from someone inside your company, but especially not from someone who is messaging from their personal email (common example: “Hi, I got locked out of my company email so I’m sending this from my gmail - can you resend my password please?”)

  • A phone call from a person whose voice you don’t recognise

  • An SMS text message

How do I check?

You should check the person is who they say they are by contacting them on a phone number or account that you already have for them - for example, from the company directory or your phonebook.

Ideally this would be a voice or video call, but could also be a secure DM or chat message (like Slack or Signal).

In an emergency, for example, if the user is travelling abroad and has lost their phone - you might need to be more creative and contact a colleague they are travelling with or the hotel they are staying at to verify them.