I am a strong believer that every company should have comprehensive cybersecurity training and testing for all employees – including a variety of test campaigns to train users on social engineering prevention (it’s one of the leading causes of ransomware infections). However, I was genuinely concerned when I read the recent Tweet posted by Justin Fenton that described a recent phishing test that Tribune Publishing carried out against its employees.
According to Fenton, as well as articles later published by The Washington Post, CBS News, and others, Tribune, like so many companies has struggled, particularly in the midst of the pandemic. Recently, Fenton says they’ve taken steps like “…slashing our staff, closing newsrooms, furloughing reporters and cutting pay during a pandemic…” to cope. I’d imagine their employees are, like so many, feeling a bit traumatized with 2020. So, you can imagine their surprise when they got an email stating that due to their “ongoing commitment to excellence” and “ongoing efforts to cut costs,” each person receiving the email would be receiving a bonus of “between 5,000 and 10,000 dollars”. They were asked to click a link, log in to see their bonus amount, and state how they wanted to receive that bonus. You can likely also imagine their anger when a click led them to a notification that they had just been tricked by a simulated phishing test. Honestly, this is not a tactic I would recommend for your social engineering prevention training.
The whole situation continued to bother me, so I thought this might be a good time for a reminder about the purpose of phishing and other social engineering tests, as well as suggestions for what should and should not be included in your social engineering prevention training.
What is Social Engineering and Why Does It Work?
Social engineering is psychological manipulation of human emotions to gain access to information or a particular outcome. It works because it takes advantage of the belief that most humans naturally trust and/or want to help fellow human beings. Phishing is one of the most common types of social engineering, but vishing (phone phishing) and smishing (text phishing) are also rising. We have a three-part series on phishing you can read for more information. In this blog, we will focus on the social engineering prevention tools and tactics you can use to train and test your team.
Gaining Entrance to a Secured Facility
Our social engineer testing consultants know that the best way to get through a secured door that requires a badge or fob to access is to approach that door behind someone who has a badge with your hands full. If you appear to be juggling your lunch, coffee, and a box of files while trying to reach for your badge, most of the time, the person ahead of you will hold the door for you. This technique is called tailgating. One of our consultants carried the same salad and coffee cup, along with a briefcase around for an entire day and successfully tailgated each door he attempted. (I heard he later ate the salad for supper!)
How To Combat Social Engineering Attacks
To combat any social engineering attack, employees need a script or alternative behavior. This is a crucial part of social engineering prevention training. In the example above, simply telling your team not to hold the doors for others will not work. We were all taught from a young age that refusing to help is unacceptably bad manners, so telling us to behave in a manner that is ingrained as “rude” will not stop the behavior. To be successful, employees must be given guidance of an alternative that allows them to maintain their self-respect.
For example, using the scenario above, rather than holding the door open for our consultant, who they did not know, a more secure response would be to offer to hold something for him, while he finds his badge. You may want to model the behavior for them.
“May I hold your coffee for you while you find your badge?”
If the person says that they don’t have their badge, provide a scripted response for your employees.
“Oh no, that’s too bad. Can I escort you to the security office to get a new one?”
Or, they may offer to call the security office or take the person to an appropriate check-in point. When confronted with that, most social engineers (including criminals) will turn away.
The Social Engineering Phone Call
Vishing (aka voice phishing) is another popular and effective social engineer tactic. Scammers will use various tactics to get employees to give them confidential information over the phone. Popular tactics include:
- Having a recording of a baby crying in the background and playing on the employee’s sympathy to help them attain the needed information
- Pretending to be from the IT team and claiming they have found a problem with the user’s accounts
- Using caller ID spoofing to make the call appear to be originating from a high-profile company executive
If confronted with a caller requesting confidential information like username or password, provide your employees with a scripted answer.
“I’m sorry, but I am not allowed to provide that information. Let me forward you to my manager.”
Giving employees the tools to successfully avoid socially engineering empowers them to respond appropriately. Read more about Vishing attacks and prevention techniques.
What Should be Part of Your Social Engineering Prevention Training?
Phishing and other social engineering tests should never be treated as “gotcha” moments, nor should they shame or traumatize your employees. Yes, cybercriminals can be ruthless, but you as an employer don’t need to be, you can educate in an empathetic, respectful manner. Be thoughtful when choosing a topic for your test scenario. Ask yourself, will this cause harm to my employees? Will this test provide a valuable educational outcome? Here are a few “must have” activities that should be part of your social engineering prevention training:
- Employee cybersecurity training: Everyone in your organizations should receive basic cybersecurity training. It should cover how to spot common phishing, vishing, smishing and other social engineering tricks. You can find some social engineering prevention tips to read and share here. You can train your team internally or engage a third-party for social engineering prevention training and simulation tests.
- Provide written employee response strategies. Publish and review written employee response strategies with all employees, but provide additional resources for high-risk employees in sensitive positions, such as executives and finance. Read and share W-2 phishing prevention tips.
- Physical social engineering and penetration testing: Your cybersecurity is only as good as your physical security. If someone can enter your building, it is generally easy to find an unlocked computer or even gain access to the server room. Consider having third-party physical penetration and social engineering tests to find and close these gaps. You can learn more about it in this on-demand webinar and stay tuned for an upcoming class!
- Technical phishing controls: Proper mail server configuration, up-to-date patches, implementing secondary email verification, MFA, and more are also great technical barriers that reduce social engineering attacks. Read technical defense strategies.
Make Your Training Memorable
The key is to create an educational experience that will be remembered for the lesson itself. A college professor I had was tired of students writing the word “alot” rather than the correct version “a lot”. (Yes, I’m old enough that it was pre-easy access to spellcheck.) Rather than rant or shame anyone, he gave one student a sign that said “a” and the other a sign that said “lot” and asked them to chase one around the outside of the room without ever catching each other. I have remembered that “a lot” is two words ever since.
Sadly, my guess is that the primary lesson that most Tribune employees will remember is that they were not treated as valued employees at a time they needed it most.