It works like this: A cyberthief phones the target claiming to be from a bank and says that there's been suspicious activity on the target's card. If the target doesn't trust the caller, the thief encourages the target to phone the bank using a number the target trusts. The target hangs up—but the thief doesn't. When the target picks up the phone again to dial, the thief plays a recording of a dial tone. The target dials, but it's the thief who fields the call. From that point, it's all Social Engineering 101.
It's sublimely simple, and applicable to almost anything in a retail setting. The thief can call a store claiming to be from central IT, calling to set up time for a contractor to work on equipment. Or from the chain's processor, calling to confirm configuration details. Or from network security, Loss Prevention, accounting, or almost any other department. Most store associates won't notice even if the dial tone sounds a little odd, and many will just be using speed-dial anyway.
And once a store associate or manager is talking to someone at the other end of a trusted connection, no matter how odd the information requests get, the store personnel will probably still deliver. After all, how could a bad guy have hacked into speed-dial?
Best of all—OK, worst of all—there's no practical technical fix for this security hole. But there is a simple fix: Store personnel should always call that trusted number on a different line.
In fact, the easiest way to enforce that policy is to train managers and associates to make that trusted call after putting the original (cyberthief) caller on hold. If the call is legitimate, it will ring through to someone else at the processor, central IT, Loss Prevention or accounting. If the call is a scam, keeping the thief on hold will prevent the store personnel from falling for the fake dial tone.
And there's a certain elegance in a defense that's even more low-tech than the original attack.