Social engineering awareness module for December

02 NB poster on social engineering 3 350Background and scope New this month

December’s NoticeBored module concerns information risks, controls and incidents involving and affecting people:

  • Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;
  • Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;
  • The social engineer’s tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion.

While there are many indiscriminate scams and cons in operation, most are relatively minor (except, perhaps, ransomware).  However, social engineering attacks and frauds specifically targeting the organization through its workforce are of greater concern. 

Adversaries who patiently research us and our people through social media and social networks stand a better chance of gaining our trust, reducing our wariness of unknown people and unusual requests, so catching us off-guard.  Our being cautious about what we reveal to outsiders makes their task that bit harder, a subtle but effective control.

Creative scammers are developing ever more sophisticated attacks, sometimes combining hacking, malware, physical site penetration and social engineering methods.  Business Email Compromise, for instance, is highly lucrative, some attacks netting tens of millions of dollars by tricking professionals into making fraudulent payments from corporate bank accounts, bypassing the normal checking and authorization controls due to some trumped-up emergency situation.  Tricking them into installing malware or changing payee account numbers are just two of their cunning tricks.

3 x A-to-Z guides provide plenty to chew onLearning objectives

Use December’s NoticeBored security awareness module to:

  • Brief workers on current information risks involving social engineering, social networking, social media, social apps, scams and frauds, in terms they understand and contexts that make sense, offering pragmatic advice;
  • Emphasize the most serious of today’s social engineering threats such as phishing and business email compromise, blended/multimode attacks and social engineering by trusted-but-untrustworthy insiders;
  • Demonstrate that the dangers are genuine, the impacts substantial;
  • Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
  • Motivate people to think - and most of all act - more securely.  This is vitally important since social engineers actively exploit vulnerable people.  Workers’ vigilance and responsiveness are far and away the main controls, for example spotting, rebuffing and reporting scams, frauds and other social engineering attacks.

The module should be relevant and appeal to virtually everyone in the organization.  A given individual may not value everything in the module, but hopefully there will be something that catches their attention – and that something may not even be the awareness materials as such, perhaps just a casual comment relating to the topic from someone who has attended a briefing. 

Before you get going, consider your organization’s learning objectives.  Which aspects of social engineering are of most interest and concern?  Have there been any recent or significant incidents or near-misses that make it especially pertinent to the business?  What have you already done in the way of awareness and training in this area?  Are there particular awareness messages or themes you want to draw out this time around?  Any audiences deserving special attention?

 

Module 200 description

 

As well as customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content.  Use the materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee induction or orientation purposes.

Home > NB this month >

Copyright © 2019 IsecT Ltd.