That line was fucking gold.
This one definitely got me!
Use plausible sounding, but random answers.
Whats the name of your first pet?
I use this scheme when i need to come up with these types of answers for a service that i dont deem as super critical or risky...
Other than that, anyone is susceptible to social engineering, regardless of pay. Social engineering is crafted to suit demographics.
Maybe you favorite a bunch of recipes with lima beans (which I hate). Instead, you discover that I was really into lentil dishes for a while, but have been more interested in dumplings this fall. Maybe this could be used in some sort of elaborate social engineering scheme that nets you more valuable information, but I'm not seeing how....
The worst that could happen is that you used the same password there as for your online banking, or important e-mail account and such.
If you didn't do that, then the impact is approximately zero.
Of course, that cooking site still wants you to use a sufficiently long password with at least one digit, capital and lower case letter, and special character ...
Fancy a prison term in one of the more enlightened European jurisdictions, or Canada?
If you think that's bad: I always enter a fake phone nr. Once, a company turned out to use them as verification for phone support. I didn't know, and had forgotten, so gave my actual number. "Oh, it says something else here. Shall I just go ahead and remove that, then?". I wanted to cry.
Don't play games.
Security through obscurity strikes again.
Assuming that wasn't true, a customer service rep for the phone company could call the customer's bank and try to impersonate the customer, assuming it's used often (like the poster stated).
I do this as well and it has yet to blow up in my face, though it does seem like an inevitability.
So I have nicely complex passwords generated by Keepass and the staff usually don't think anything of it once I mention I work in "computers".
I've never had it blow up in my face with any rep, and I make sure to keep the passwords in an offline (never touches any network) laptop.
Apparently they don't even do e-mail verification.
Security questions introduce insecurity. I remember being mightily puzzled when they were considered a "best practice" and the organization I was at was all "het up" to implement them.
The real reason? They save head count / expense -- at least, in the short run. One less "I can't remember my password" interaction -- one that, from an optimistic perspective, at least doesn't just blindly depend upon emailing the email address of record... Only, many sites seem to implement that alongside their security questions flow, so...
It is not a tutorial on how to phish or a vulnerability report, but rather a story about how motivation is potentially more important to phishing than technical skill. Without the casual writing style, the main character (and author) might have seemed more sophisticated, which would have diminished the point of the story.
This is hilarious!!
Overall, a really great breakdown of a textbook phishing attack.
Get consent before hacking your friends.~~
Edit: This is awkward - I was sure I read it one of the previous times it was posted. Chapeau!