Social engineering prevention training prepares employees to make decisions, and trust themselves when they identify red flags.
It’s winter, so it was dark outside when the gently used clothing store was winding down to close for the night. There was a young employee closing the store. She had been with the company for a few years working over break and between classes, and she was more than capable to handle the store on her own. She was counting the register when the store phone rang.
“Hi, this is Jenny from your local clothing store. How can I help you?”
An older man responded.
“Hi Jenny. This is Bill from the IRS. I have an important matter to discuss with you. Are your owners at the store now?”
“No, they are not here. Would you like me to call them?”
“Actually Jenny, it’s time sensitive so I need you to help now. Don’t call the owners. Your owners are in trouble because they are very late on taxes, and they owe the IRS a lot of money. Are you familiar with the IRS?”
“Um…” Jenny said timidly. “Yes.”
The man barely waited for her to respond. “The IRS is a government agency. We’re launching an investigation and we don’t want you to be involved because your management team is corrupt. Are you willing to cooperate?”
“Yes, of course.”
“Great. Thank you Jenny. We need a payment in the next 15 minutes, or they will be too late. We only need $1,750 right now. I need you to go to the gas station and buy gift cards, and then send me the barcode immediately. There is no time to waste.”
________________
We know there are two possible outcomes to this story. But let’s face it…if she ignored the scammer I wouldn’t know the story to tell you.
My friend, the owner of the business, shook his head in disbelief.
“How did that happen? There are a dozen red flags that she should have seen.”
I told him not to be too hard on her. That was a scary situation, and good social engineering scams can fool anyone.
What Is Social Engineering?
Social engineering is when someone attempts to manipulate people into performing actions or sharing confidential information. The story of the young retail employee was a perfect example of social engineering. The man impersonating the IRS attempted (and succeeded) in manipulating her into buying gift cards with money from the cash register, and then sending the bar codes to him.
Social Engineering comes in various forms.
Phishing
Phishing is the most well known form of social engineering. Phishing is when a cyber criminal sends an email to their intended victims that asks for information that will be used against them, or asks the intended victim to download an attachment.
Phishing is so popular that we wrote an article on the 7 most common phishing emails, and how you, your family, and your employees can identify them.
Facebook Messenger
Another form of social engineer comes through common platforms that you might not expect. I had an interesting one come up this weekend – an old friend messaged me on facebook, and we chatted like old friends do – how are you? What have you been up to lately? Then the old friend said they’ve been wanting to connect with me to tell me about a grant, which raised a red flag, but he worked for a non profit, so it was believable. A few messages later he told me that I could get $100,000 that I did not have to pay back through the grant, and asked if I was interested to learn more. At that point, I knew something was up. I called this person since I still had his number, and told him the situation. As suspected, it wasn’t him. He reported the user, and of course changed his passwords.
Vishing
Vishing is similar to phishing, but typically it’s done over the phone. V = voice. The example from the beginning of this post was an example of vishing. There has been a rise in similar attacks. We had an employee’s grandmother receive a call in which the scammer told her that it was her grand daughters friend. Her granddaughter was in the hospital, and couldn’t talk, but she needed money to pay for the emergency surgery. Fortunately, this sharp grand mother felt something was off, and offered to help, but only if she could call the hospital directly. Of course, the scammer pushed her into sending payment details immediately. This story does have a happy handing.
Social Engineering Creates a Challenge for Businesses
This creates a real challenge for businesses. Social engineers are good at what they do, and they can be very convincing. By impersonating a customer, vendor, partner, or executive, a scammer can trick an employee into letting them into a locked building, sending a wire transfer, or even sharing their password.
Social Engineering Prevention Training
The goal of social engineering prevention training is to raise employee awareness so that they can identify red flags. An employee (as silly as it sounds) might not know the IRS doesn’t accept payment in the form of itunes gift cards over the phone, but teaching them that scams exist will prepare them when something like this happens. A more believable example that anyone can fall for relates to passwords. An employee might not know that an IT person should never need their password to do something. Period. So if someone asks for your password over the phone or via email, that’s an immediate red flag.
We went deep on this subject recently with 7 social engineering prevention training tips that everyone needs to know.
Employees Put The Company At Risk
We get it. You’re not alone. In the past we’ve had employees, investors, and business partners that did not take security seriously. We’ve helped them, hundreds of businesses, and thousands of employees to make employees active participants in cybersecurity so they would protect their business.
Our process is easy.
- Add Employees to the platform
- Enroll them in an awareness campaign
- Monitor Their Progress
That’s it. We promise to never create boring training videos and we will always strive to help you build a culture of awareness in your organization.
You can sign up for a free trial with full access, and you don’t even need a credit card to do it.