Social Engineering - Questioning is King
Overview
Social engineering is using deception to manipulate people into divulging personal and confidential information, which may then be used for fraudulent purposes. Of course, everyone is at risk from this, but you can take steps to minimize the threat.
Phishing
Perhaps the most well-known form of social engineering is the art of phishing. So, consider the scene; you receive an email from Parcel Force saying that the driver could not deliver a parcel to you. You likely see this kind of email every day, perhaps not always from Parcel Force, maybe not even related to a delivery of any kind. When the email makes you think, "well, I wasn't expecting ..." then your brain typically joins the dots to tell you that this is a scam, so you delete the email. All good. BUT what if you were waiting for a delivery at that very moment? Scammers send out millions of phishing emails, and out of that percentage that didn't get marked as spam and sent to the junk folder, a good number end up in someone's inbox, and a small percentage of those recipients are probably waiting for a delivery or expecting to receive an invoice, etc. A small percentage of a small percentage of a huge number can still be an enormous amount, and that's the very mathematics scammers use to make their living.
That's where we come in. AMITC can simulate this exact situation for your company but under safe, controlled conditions. For example, we can detect when recipients click on links or open attachments in our simulated phishing emails and, using this information, inform you which of your employees need further training to improve their cyber awareness.
Learn how to look at emails with a sceptical eye on our Cyber Tips blog page.
Fake Callers, Phony ID's and More
If your company is being specifically targeted, another tactic used by hackers is to try and obtain information such as usernames and passwords by claiming to be part of your organisation's IT Department. Or, if they're feeling particularly confident, they will adopt a more brazen approach and physically enter your building, presenting fake identification, in the hope that someone will grant them entry and even show them to the server room! Once they are in the building, they can carry out any number of invasive activities, such as planting Wi-Fi access points onto your network providing themselves direct access to your network without having to resort to vulnerability exploitations. Another successful tactic can be to drop malware-laden USB memory drives in locations where your employees might find them. Perhaps by the front door leading from the car park, hoping to exploit human curiosity with an individual plugging them into their computer to see what is stored on them.
These tactics and more are all situations we can simulate for you, providing you with vital insights into your company's security and highlighting where training is necessary for your employees.