A common saying is ” Amateurs Hack Systems, Professionals Hack People”. Social engineering is the art of manipulating people into performing actions or divulging confidential information. People fall for social engineering tricks based on their instinct to be helpful and trusting. The typical attacker never comes face-to-face with a victim using deception through email, social networks or over the phone.
Consultants list end-user training as a top prevention to defend against social engineering. How should you provide training for your user community? Here are some tips for educating your staff about common social engineering attacks.
Explain Why Policies Exist
It is common to see organizations send out policy reminders without explaining why they exist. The average user will delete a policy email once they realize its standard legal language.
Try explaining why users should care. For example, start off with a scenario about an email account being violated and or company data compromised. Include details about what social engineer tactic was used, investment by IT to clean up the issue and ways to avoid the threat. Close with the policy being enforced.
Provide Examples Beyond The Intranet
Organizations typically send warning emails to employees when they discover threats to internal sources. It is rare to see companies extend warnings about phishing or other external attacks. Try periodically sending out examples of different social engineering attacks highlighting what to look for and where they are common. Examples should include social networks, fake URLs, craiglist scams and threats using shareware. Your end-users can be targeted anywhere so educate on all forms of social engineering attacks. Continue reading