Something smells phishy. The importance of Social Engineering Training

Something smells phishy. The importance of Social Engineering Training

Henry Dalziel | General Hacking Posts, Hacker Hotshots | June 15, 2013

Ignore social engineering training at your peril.

Make your people aware of the ever-growing scams out there. Seems obvious but trust us, we are constantly amazed how many people fall victim to ‘simple’ phishing attacks.

Social Engineering is all about coercing you into doing something that you feel is ok to do – but is clearly not ok for your security. Best example would be getting you to click your mouse that (unknown to you) triggers a wrapper in a trojan and hey presto, there go your bank login details, company accounts etc.

The human is dumb.

The most stupid link and most vulnerable link in the security chain is the human. Here at Concise Courses we are all about information security education and it certainly gives us pleasure to promote the necessity of effective employee phishing training. Taking advantage of human behavior is the name of the game when it comes to social engineering. An organization can employ the world’s great information security professional but that won’t prevent a phishing attack if it succeeds at hacking someone in your organization.

Employees need social engineering training – period. Basic stuff like email phishing, spear phishing etc must be drilled home in a practical and engaging way. For example, a way to educate your workforce in an engaging way would be to send them all an email without warning that is made to look moderately suspicious, and must be from ‘sent’ from someone that they do not know asking them to download a file. Those that do will trigger a non-lethal program that only installs a screensaver of a clown on their desktop with a message saying “Report To [Name] – Your IT Head of Department, You Need To Learn Why What You Did Was Bad!!!” Making mistakes is the best way to learn when it comes to social engineering prevention.

Tailgating, dumpster diving etc are all standard basic training that also needs to be incorporated in any social engineering program, but those can really be achieved by creating habitual patterns of behavior. For example ensuring that all documents are shredded before entering the trash will within a short space of time become second nature to your people.

There are a gazillion different phishing tricks out there but it really is key that your people are made fully aware that their actions can lead to reactions, i.e. downloading a “You Won A Million Dollars” should be obvious to most as being a scam but malware ridden emails can be made to look a lot more ‘normal’ and ‘appealing’.

What do you do for your social engineering training? Nothing at all? Just a little bit? Tell us – we wanna know!

Lastly – check out our Hacker Hotshot web show titled “Go With the Flow: Strategies For Successful Social Engineering” with Chris Silvers – which was a superb insight to social engineering hacks with REAL examples! You’ll love it.

  • Great article. You had me at “The human is dumb.”

    • Indeed. The human behind a work station in an office particularly can be very dumb. Writing passwords on post-it notes and sticking them on the computer monitor is possibly the best example!

  • […] Something smells phishy. The importance of Social Engineering Training ( […]

  • Jon

    I think “dumb” may be a little too harsh (I do agree with your article and think it’s great) But calling people “dumb” won’t help. I think they are just too trusting of their environment. I am sure most of the people who write their passwords on a post-it note understand what a password is used for, and why they exist, I just don’t think they respect the system enough, or believe that their coworkers (or anyone else in the office) might take advantage of them. If you’re driving down the street and get hit in the head with a rock, are you “dumb” for not wearing a helmet and protecting yourself that day on your way to work? Why make it your profession to educate people if you think they’re all dumb? Why empower stupid people to blend in with you and all the other intellectuals who know better? Why not just let them get hacked and learn their lesson?

Leave a comment or reply below...thanks!