Social engineering awareness module for December
Background and scope
December’s NoticeBored module concerns information risks, controls and incidents
involving and affecting people:
Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;
Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and
reputations through fake customer feedback, blog comments etc.;
The social engineer’s tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion.
While there are many indiscriminate scams and cons in operation, most are relatively
minor (except, perhaps, ransomware). However, social engineering attacks and frauds specifically targeting the organization through its workforce are of greater concern.
Adversaries who patiently research us and our people through social media and social
networks stand a better chance of gaining our trust, reducing our wariness of unknown people and unusual requests, so catching us off-guard. Our being cautious about what
we reveal to outsiders makes their task that bit harder, a subtle but effective control.
Creative scammers are developing ever more sophisticated attacks, sometimes
combining hacking, malware, physical site penetration and social engineering methods. Business Email Compromise, for instance, is highly lucrative, some attacks netting tens of millions of dollars by tricking professionals into making fraudulent payments from
corporate bank accounts, bypassing the normal checking and authorization controls due to some trumped-up emergency situation. Tricking them into installing malware or
changing payee account numbers are just two of their cunning tricks.
Use December’s NoticeBored security awareness module to:
Brief workers on current information risks involving social engineering, social networking, social media, social apps, scams and frauds, in terms
they understand and contexts that make sense, offering pragmatic advice;
Emphasize the most serious of today’s social engineering threats such as phishing and business email compromise, blended/multimode attacks
and social engineering by trusted-but-untrustworthy insiders;
Demonstrate that the dangers are genuine, the impacts substantial;
Describe and promote the corresponding information security controls, particularly the human element given the limited effectiveness of
technical/cybersecurity controls against social engineering, with a mix of informational and stimulating content;
Motivate people to think - and most of all act - more securely. This is vitally important since social engineers actively exploit vulnerable people.
Workers’ vigilance and responsiveness are far and away the main controls, for example spotting, rebuffing and reporting scams, frauds and other social engineering attacks.
The module should be relevant and appeal to virtually everyone in the organization. A given individual may not value everything in the module, but
hopefully there will be something that catches their attention – and that something may not even be the awareness materials as such, perhaps just a
casual comment relating to the topic from someone who has attended a briefing.
Before you get going, consider your organization’s learning objectives. Which aspects of social engineering are of most interest and concern? Have there
been any recent or significant incidents or near-misses that make it especially pertinent to the business? What have you already done in the way of
awareness and training in this area? Are there particular awareness messages or themes you want to draw out this time around? Any audiences deserving special attention?
As well as customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content. Use the
materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee induction or orientation purposes.