Homepage Sophos newsroom

"G'day, the Queen speaking" - socially engineering the Duchess of Cambridge's hospital

Announcement posted by Sophos 07 Dec 2012

Earlier this week, presenters at an Australian radio station called the King Edward VII Hospital in London, UK.

You may recognise the name - it's the hospital to which Catherine, Duchess of Cambridge, was admitted on Monday.

The Duchess, who is pregnant, is apparently suffering from a fairly serious bout of morning sickness.

The pranksters, Mel and MC of the show Summer Hot 30 on Sydney station 2DAY (all New South Wales radio call signs begin with 2), pretended to be Her Majesty the Queen and Prince Charles.

Two other presenters joined them in the studio to add a little Palace atmosphere, impersonating the Royal corgis.

The plan was to have a bit of a lark and see what sort of reaction they'd get from the hospital.

Mel's impersonation of Her Majesty's voice can charitably be described as ludicrously bad, and her impression of Her Majesty's diction and vocabulary as bizarre.

In fact, Mel did such an execrably bad job that co-presenter MC interjected right at the start of the prank, while they were still on hold, to say so.

Clearly, after such an inauspicious start they expected not just to have their call dumped by the hospital, but to be told off in no uncertain terms.

To their astonishment, however, the call was passed swiftly through to the nurse looking after the Duchess. The nurse proceeded - with understandable and audible nervousness - to give away a small, but nevertheless improper, amount of personal information.


In the end, little harm was done, aside perhaps from the nurse's unfortunate comment that "[the Duchess] hasn't had any retching", and her observation that Catherine's husband, Prince William, had been at the hospital the previous evening, but left around 9pm.

Nevertheless, there is a huge lesson to be learned here.

Social engineering - where scammers trick you or your staff into revealing information they know they oughtn't to give out - is surprisingly easy.

As Mel and MC showed, you don't have to get all the details right. In fact, you can get many or most of them wrong.

You don't even have to be terribly believable. You just have to stick to your guns.

Let the person on the other end of the call ease themselves into a position where they feel obliged and determined to help, yet on safe ground because they've convinced themselves that they're not really giving out anything very serious.

Social engineers often don't need a lot of information to succeed. They might get a name out of the HR department, but no more. Then a phone number from a helpful colleague, an address from the helpdesk, followed by information about the victim's whereabouts from Facebook or an out-of-office email.

And that might be enough to trick another organisation or department - the victim's bank, for example, or their IT team - into a more egregious blunder such as transferring money illegally, or resetting a password fraudulently.

What can you do to minimise the risk of social engineering?

  • Teach your staff that it is OK to say "No" to information requests over the phone.
  • Teach them to hang up if the caller won't take "No" for an answer and pesters for information that has already been refused.
  • Provide an internal hotline (phone or email) that staff can use to report possible scam calls.

The last point is particularly important. Phone scammers may well have an internal directory for your company. They can then simply call colleague after colleague, building up a picture piece by piece as they go. The extent of the trickery won't be obvious to each individual who gets called.

With active reporting of phone scamming by your staff, you may be able to spot the pattern early. You can then warn your entire workforce.

When it comes to corporate or personally identifiable information, remember this:

If in doubt, don't give it out! 



Recording available at: http://www.youtube.com/watch?feature=player_embedded&v=wa5JQC8VNdw