Some recent news spawned this topic. Have you been through any training on social engineering?

At my previous employer, a large multi-national, I had to complete several modules plus classroom training and pass tests.

Probably deal with it work about once a week. I've also found it helpful on a personal basis as well. How about you?

Yes, end users are the majority cause of all cybersecurity problems. Why hack when you can just get people to hand over their login credentials and then get them to actively participate in perpetuating the attack?

I think it is terrible. The worst part about it is the way the higher ups adopt these ideas and pretend to support them to protect their careers. Our terminal manager chose this route and now his kids are trans/furry,

I say we were better off without it.

Some people don't know what even is.

I’d be one of them.

Scams to get people to divulge personal information. More elaborate than most simple ones like phishing emails.

This is a good read:

https://usa.kaspersky.com/resource-...It6mdR-oA9pB-MYVFMhht9zOd6iM_OEb6R6aNjm4

https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html

https://www.ibm.com/think/topics/social-engineering

It can be national level intelligence services if you work in certain areas, technology and larger companies.

Every year while working for the government.

Yelp we go through it qtr’ly

Hillary’s emails blasted one all over Washington.

I thought this was the internet EO/HR training gone woke with the gay flags, etc. I made that assumption because i have a liberal cousin with a degree in social engineering or something that sounds similar 🤷‍♂️

I constantly have social engineering rolling at my work. My staff have a button addon in their outlook client that they can use to alert IT/Cyber team they received something they think is a bad actor email. If the email is one that we have sent out it tells them good job and that it was simulated from IT. We also have a leaderboard staff can check if they’d like to see who is winning and not clicking on things. If it’s not a simulated email it sends notification to us and we go check it out in the system. If it is a bad actor we mark it depending on if it’s Spam, Phishing, or an actual Treat like Ransomware. Once it’s remediated if it’s a clean email it gets sent back to the user that flagged it. If it’s bad sender automatically gets blocked.

It’s fully automated system so that if we send out simulated emails and someone opens it and clicks on a link or opens an attachment they get a notification they’ve clicked on a simulated phishing email and are now in the clicker tier one group. I have tiers 1-6 setup and depending on how many times a user clicks depends on how much training they have to do. If a user gets over 6 clicks their access is locked until their supervisor can talk with them and make it clear if they continue to put us at risk for clicking stupid things in their email then they could lose their job.

I believe the national benchmark is 16.5% click rate, my organization is down to a 5.3% click rate. My staff are so scared to click on stuff I get a lot of false positives. But I’d rather have that, than the alternative of taking a hit and having an incident.

I also do physical social engineering by printing out QR codes and putting them in the break room, the QR code is linked to our training system as well. I put something like fill out employee survey for a chance to win $25 Starbucks gift card or something.

No one likes it and everyone thinks we’re out to get them, but that’s not the case it’s nothing more than a training tool and it’s much better me and my team getting them than some scammer.

Are the QR codes to try and train them to not scan them?

It’s not necessarily to make them not scan QR codes. It’s to train them to be hyper aware of everything. There are “red flags” on all our social engineering. These are more so to train them to spot the red flags like an email that is from HR but the email address is a Gmail account or like the QR code the grammar will be pretty bad as if it’s written from someone that English is their second language like most scam emails you receive.

So mainly just to slow down and be vigilant.

I'm sure you know much more about it than me, but my training was to never scan a QR code because a malicious one can contain small viruses or malware.

Yes QR codes can definitely be bad but they’re a part of daily life these days so we don’t try to tell them not to ever scan them, it’s not really our place, but just don’t really scan them at work lol. Hell some restaurants you can’t even get a menu at these days without scanning a QR code.

Reason #137 I live in the woods