Teaching Users to Recognize and Avoid Social Engineering Scams
Social engineering scams are among the hardest to avoid because there are no technical safeguards that can protect your organization if an employee falls into a trap. The end goals of these scams could be highly technical (breaching your network and stealing sensitive data and files) or decidedly low-tech (gaining access to a store room or filing cabinet). Whatever the end game, social engineers build relationships to take advantage of the human tendency to be trusting and non-confrontational.
Assess the Threat
How susceptible are your employees to common social engineering threats like phishing and smishing (phony SMS messages)? How likely are your members of your staff to pick up and plug in random USB drives? How much do your employees know about social engineering techniques and scams? If you’re not sure of those answers, our CyberStrength®, ThreatSim®, SmishGuru®, and USBGuru® assessments can help you find out.
- CyberStrength Knowledge Assessments – This tool allows you to ask employees scenario-based questions about social engineering and phishing. You will have direct access to the results, and employees will receive tips and guidance following each answer (whether correct or incorrect). You can also create customized questions to assess understanding of company policies and known issues.
- ThreatSim – This simulated attack tool allows you to send a variety of mock phishing emails to your employees and track the results. You can also use customizable Teachable Moments, which display practical tips at the time an employee falls for a mock attack.
- SmishGuru – Assess your employees by sending mock smishing messages to their mobile devices. You can track clicks and responses to different SMS/text messages. As with PhishGuru, Teachable Moments deliver practical advice to those employees who interact with a simulated attack.
- USBGuru – USB drives are pre-loaded with your messages and randomly placed in common areas within your workplace. If an employee plugs in one of these devices, a Teachable Moment will launch, letting them know what they did wrong and how they can prevent future issues.
Educate Your Employees to Utilize Best Practices
Understanding your level of susceptibility is one thing; changing employee behaviors is another. We can help you do both, but we believe that the education component is the real key to long-term risk reduction.
Our interactive training modules give your employees hands-on instruction about the different social engineering threats they may encounter inside and outside the workplace. Some of these threats are sophisticated, like carefully constructed spear phishing emails that tempt your employees to click malicious links, download dangerous attachments, or reveal confidential information. But other scams are far more subtle, like social engineers who sneak in behind unsuspecting employees at secure entrances or impersonate coworkers or vendors over the phone.
In addition to our purpose-written, research-based educational content, our Training Jackets allow you to add custom and personalized content to the beginning and end of each module. You can insert notes about specific organizational policies, attach a training completion certificate, include a policy acknowledgement screen, and more.
Key modules to consider for your social engineering training efforts include the following:
- Social Engineering – This interactive module explains the concept of social engineering and introduces your employees to common methods and tactics used in these kinds of scams. We provide examples of real-world social engineering attacks and walk users through the process of identifying and avoiding these threats in the workplace and beyond.
- Email Security – This in-depth anti-phishing training educates users to recognize bait and traps commonly found in phishing emails. Your employees will learn to identify and avoid manipulative content, malicious and disguised links, dangerous attachments, inappropriate data requests, and other threats. Two styles of interactive, game-based training are available for this topic.
- Physical Security – Use this module to educate your employees about physically securing different types of data, guarding against loss from theft or malicious attach, and recognizing and addressing potential breaches.
- Data Protection and Destruction – We teach your employees about safe use of portable storage devices and media. They will also learn techniques for properly disposing of and destroying confidential data and files.
Whether they’re sophisticated or subtle, social engineering threats are real and pose a serious risk to your organization’s physical and cyber security. Our interactive education options help your employees recognize and avoid common social engineering techniques and keep your people, areas, and assets secure.
Consider a Continuous Training Approach
A cycle of assessment, education, reinforcement, and measurement maximizes learning and lengthens retention. Our security awareness and training methodology is a continuous approach to risk reduction.
Consider pairing our social engineering assessments and education with our Security Awareness Materials to reinforce key messages in the workplace. And be sure to take advantage of our reporting tools to measure progress and tailor future efforts.
When you combine the four components of our methodology, you take a 360-degree view of security awareness and training, which can effectively change behaviors and reduce risk across all levels of your organization.