December 2019 sees the release of our 200th security awareness and training module, this one covering social engineering. The topic was planned to coincide with the end of year holiday period - peak hunting season for social engineers on the prowl, including those portly, bearded gentlemen in red suits, allegedly carrying sacks full of presents down chimneys. Yeah right!
I'm fascinated by the paradox at the heart of social engineering. Certain humans threaten our interests by exploiting or harming our information. They are the tricksters, scammers, con-artists and fraudsters who evade our beautiful technological and physical security controls, exploiting the vulnerable underbelly of information security: the people. At the same time, humans are intimately involved in protecting and legitimately exploiting information for beneficial purposes. We depend on our good people to protect us against the bad people.
Vigilance is often the only remaining hurdle to be overcome, making security awareness and training crucial to our defense. It’s do or die, quite literally in some cases!
The module concerns information risks, controls and incidents involving and affecting people:
- Various types of social engineering attacks, scams, cons and frauds – phishing being just one of many topical examples;
- Exploitation of information and people via social media, social networks, social apps and social proofing e.g. fraudulent manipulation of brands and reputations through fake customer feedback, blog comments etc.;
- The social engineer’s tradecraft i.e. pretexts, spoofs, masquerading, psychological manipulation and coercion.
While there are many indiscriminate scams and cons in operation, most are relatively minor (except, perhaps, ransomware). However, social engineering attacks and frauds specifically targeting the organization through its workforce are of greater concern.
Adversaries who patiently research us and our people through social media and social networks stand a better chance of gaining our trust, reducing our wariness of unknown people and unusual requests, so catching us off-guard. Our being cautious about what we reveal to outsiders makes their task that bit harder, a subtle but effective control.
Creative scammers are developing ever more sophisticated attacks, sometimes combining hacking, malware, physical site penetration and social engineering methods. Business Email Compromise, for instance, is highly lucrative, some attacks netting tens of millions of dollars by tricking professionals into making fraudulent payments from corporate bank accounts, bypassing the normal checking and authorization controls due to some trumped-up emergency situation. Tricking them into installing malware or changing payee account numbers are just two of their cunning tricks.
I'm especially pleased with these three A-to-Z guides covering social engineering scams, techniques and controls respectively - a
neat set with plenty
of meaty content in
an engaging format.
an engaging format.
Buy the materials today at SecAware.com and download them instantly: all our content is electronic, provided as MS Office files mostly, so that you can customize and adapt them to suit your specific needs. If you don't like our logo, swap it for yours. If our version of a social engineering policy doesn't quite work for your organization, hack it about as much as you like.