The Federal Trade Commission wants to make sure that government employees stay alert during this holiday season for “voice phishers,” hackers trying to obtain passwords with a phone call.

With staff on holiday breaks and and skeleton crews or substitute personnel manning the phones, it is a prime time for hackers and phishers to wrestle passwords from a government agency.

One ploy they may use is just calling and asking for the password, according to Leslie Fair, senior attorney at the FTC’s Bureau of Consumer Protection.

The urgent call comes in saying, ‘I need this right away. My boss is asking for this, and he needs it from your boss.'” — Michael Kaiser, National Cyber Security Alliance

“When it’s vacation time in federal agencies, like any other business, they need to be concerned about hack attacks and scammers that may try to take advantage this time of year,” said Fair.

How one scam works: The scammer will call up with a bit of information, a boss’s name that’s easily found on a public website, and a story that the boss “has given me the authority to get a password.”

The person answering the phone complies with the request and looks up the password – it might be readily available on an office list–or gives away additional personal information over the phone with no verification the caller is legitimate, giving hackers clues to breaking into the system.

Don’t get tricked, said Fair, who is also the FTC’s business blogger and a contributor to OnGuardOnline.gov, a federal government website aimed at educating the public about online safety. The site is managed by the FTC, in partnership with the federal agencies including the Departments of Homeland Security, Treasury, Commerce, Education, Justice and other agencies.

Agencies must make it clear to their employees – the temporary ones, too – not to respond to telephone inquiries or urgent calls saying, “I need your boss’s password or account number unless they are certain they know the person on the other end of the line,” she said.

Workers must use the same data security and privacy protections as they do any other time of the year, she said.

Any agency that’s been the target of this kind of invasion in the past should be on extra high alert that it could happen again.

Make sure the employee is trained to say, “Thanks. That sounds interesting. Let me hang up and call you back.” Then call someone who can verify the inquiry, Fair said.

Remember your bank won’t call asking for your password because they already have it, Fair said. And that’s the case with a legitimate government worker, too.

There’s plenty of training for employees, including internal security awareness training, and it must be refreshed every year, adds Nat Wood, an assistant director in the FTC’s Bureau of Consumer Protection.

“There’s training across government but some people are at risk for falling for these attacks,” Wood said.

Peter Cassidy, executive director of the Anti-Phishing Working Group, a non-profit that studies new forms of electronic crime, said the FTC is taking the right approach in dealing with a growing scamming problem. http://www.antiphishing.org/

“There’s nothing more dangerous than a convincing guy on the phone,” Cassidy said. “It’s one of the hardest problems in security.”

People have become skeptical about email, he said. And a call is “less in the public eye, and therefore more penetrating.”

“It’s hard to say ‘no’ to an authority figure that represents your employer,” he added.

National Cyber Security Alliance, said “voice phishing” is on the rise, hidden as an urgent call from someone who sounds important.

“We’re hearing a lot of discussions about the increase in phishing attacks around the holiday season because offices are lightly staffed or have temporary workers,” Kaiser said.

The urgent call comes in saying, “‘I need this right away. My boss is asking for this, and he needs it from your boss,'” he adds.

Be alert for what’s being requested and whether it would it normally come in a different fashion. “At the end of the day, people are making judgment calls about whether to share information or not,” Kaiser said.