social engineering training manual
Post on 04-Dec-2021
1 Views
Preview:
TRANSCRIPT
SOCIAL
ENGINEERING
TRAINING
MANUAL
2021 Social Engineering Training Manual
October 11, 2021 1
Table of Contents Introduction ................................................................................................................................................................................................ 2
Objectives.................................................................................................................................................................................................... 2
What is Social Engineering? ....................................................................................................................................................................... 3
How does Social Engineering work? .................................................................................................................................................... 3
What are they looking for? ................................................................................................................................................................... 4
Why talk about Social Engineering?..................................................................................................................................................... 4
Foundations of Social Engineering Attacks ............................................................................................................................................... 5
3 Critical Success Factors ........................................................................................................................................................................... 7
Types of Attacks and Real-world Examples .............................................................................................................................................. 8
Social Engineering Statistics....................................................................................................................................................................... 9
The Dangers of Social Engineering .......................................................................................................................................................... 10
What is Phishing? ..................................................................................................................................................................................... 11
Characteristics of Phishing Attacks .................................................................................................................................................... 11
What happens with a Phishing attack?.............................................................................................................................................. 12
How to spot a Phishing attack? .......................................................................................................................................................... 12
Clues for detecting Phishing emails ................................................................................................................................................... 12
How to check Phishing emails? .......................................................................................................................................................... 13
What is Vishing? ....................................................................................................................................................................................... 18
What happens in a vishing attack? .................................................................................................................................................... 18
How to spot vishing attack? ............................................................................................................................................................... 19
What is Ransomware? ............................................................................................................................................................................. 19
How to prevent Ransomware?........................................................................................................................................................... 20
What is Electronic Identity Theft? ........................................................................................................................................................... 21
How to protect Electronic Identity theft? ......................................................................................................................................... 21
What are the possible information leaks? ........................................................................................................................................ 22
What should you do? .......................................................................................................................................................................... 22
Who are you helping? ......................................................................................................................................................................... 23
Social Engineering at the Workplace ...................................................................................................................................................... 24
Whom should you contact in case you suspect you are a victim of Social Engineering? .............................................................. 24
Dos and Don’ts .................................................................................................................................................................................... 24
Summary ................................................................................................................................................................................................... 25
Terms and Definition ................................................................................................................................................................................ 25
2021 Social Engineering Training Manual
October 11, 2021 2
Introduction This training is conducted to:
Prepare you to defend and combat possible social
engineering techniques and notice the improvements
needed in day-to-day operations.
Understand common types of attacks, their
foundations, and the factors that make them
successful
Create awareness on what social engineering attacks
look like and how you can avoid becoming victims or
sources of these attacks.
Objectives Upon completion of this training, you will be able to:
Define what “Social Engineering” is, how they happen,
and why they happen
Identify the relevance of Social Engineering and how you can help to protect Tracfone’s assets as well as its customers and call center assets
Know who to contact in case of any issues or questions regarding Social Engineering
A very important note
Social Engineering may happen not only at the workplace but also in your
personal life. This possible attack is enough reason why you must take
this training seriously to prevent hackers from stealing your information.
2021 Social Engineering Training Manual
October 11, 2021 3
What is Social Engineering?
Social Engineering is a technique of
manipulating or tricking people, so
they reveal confidential information.
How does Social Engineering work?
The data obtained is used to appear to
be the rightful person or organization
while gaining access to systems and
perform adverse actions.
2021 Social Engineering Training Manual
October 11, 2021 4
What are they looking for?
The types of information can vary, but usually, these criminals will trick people into giving them their
passwords, bank information, or access to people’s computers to secretly install malicious software that will
provide them with access to people’s passwords and bank information.
Why talk about Social Engineering?
Social Engineering is a manipulation technique that takes advantage of human error, so a solid knowledge
base will help your brain function more effectively and smartly when these attacks happen.
2021 Social Engineering Training Manual
October 11, 2021 5
Foundations of Social Engineering Attacks
These are the 5 Emotional Traits used in Social Engineering attacks.
Fear They may pose like a boss asking for updates on proprietary projects, the company is currently working on, or for payment information or pose as a legal authority soliciting input to produce objective evidence and testimony.
Greed They may fuel people’s selfish desire for more wealth and will email you that you won the lottery, or you are one of the first 50 persons to click on their website and to claim your “winnings.” You must provide personal information.
2021 Social Engineering Training Manual
October 11, 2021 6
Curiosity They use schemes that will appear to have an amazingly great deal on classified sites, trending movies, or music, and knowing what they are, you will be asked to enter confidential information before you can download them.
Urgency Scammers want you to act first before you think. If the message conveys a sense of urgency or uses high-pressure sale tactics, be skeptical. Never let their speed influences your careful judgment. It only takes one click to compromise an entire network.
Helpfulness Attackers will prey on your kindness and generosity. They will tell you how to send money to the criminal because your friend is stuck in a country, robbed, and beaten, and you’re the only person they can contact.
2021 Social Engineering Training Manual
October 11, 2021 7
3 Critical Success Factors
Many prefer comfort than security and therefore set up
passwords that favor convenience. Many use the same weak
passwords for all their online accounts,
including bank accounts, for they’re
simpler to remember.
Convenience
After obtaining the trust of their
unsuspecting victims, they exploit the relationship and
persuade victims to divulge more
information than they should by
mentioning names of prominent people in
the organization or may even brag about
authority in the organization.
Relationship
It is human to be trusting and
sometimes gullible. People want to help, especially
when the request seems reasonable,
while fraudsters understand
standard thought processes, habits,
and behaviors and have mastered the
art of manipulating these emotional
vulnerabilities.
Trust
2021 Social Engineering Training Manual
October 11, 2021 8
Types of Attacks and Real-world Examples
Case #1: Microsoft database leaked because of employee negligence
What happened? At the end of December 2019, a security researcher discovered a publicly accessible Microsoft customer support database that contained 250 million entries accumulated over 14 years. The database included support cases and details, emails and IP addresses of customers, customers’ geographical locations, and notes made by Microsoft support agents. The database was publicly accessible for about a month. Microsoft secured it the same day the breach was reported.
Why did it happen? At the beginning of December 2019, Microsoft deployed a new version of Azure security rules. Microsoft employees misconfigured those rules and caused the accidental leak. Access to the database wasn’t protected with a password or two-factor authentication. Also, the company could have reduced the detection time significantly by monitoring user records and reviewing activity with sensitive assets.
Case #2: Marriott leaked data because of a compromised third-party app What happened? In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.
Why did it happen? The attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain's third-party applications. Marriott's cybersecurity systems didn't notice the suspicious activity of these employees' profiles for two months. Marriott could have detected the breach with third-party vendor monitoring and user and entity behavior analytics before hackers accessed clients' data.
2021 Social Engineering Training Manual
October 11, 2021 9
Case #3: Twitter users scammed because of phished employees What happened? In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts includes those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies. Why did it happen? Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using these compromised accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages. Twitter didn’t notice the suspicious activity in the admin tool until the scam messages were published and noticed by the press. Source: https://www.ekransystem.com/en/blog/real-life-examples-insider-threat-caused-breaches
Social Engineering Statistics
50% of cyber-attacks today target a
network and those connected via a supply
chain. Further, in 2018, supply chain
attacks increased by 78%.
Ransomware will continue to be the #1
threat.
92% of malware is delivered by email.
60% of breaches in 2019 involved
unpatched vulnerabilities
Cybercrime has increased by 600% since
the beginning of the global pandemic.
A 2020 report conducted by Sonatype
also found that supply chain attacks on
open-source software surged by 430%.
$8.00
$11.50
$20.50
2018 2019 2020
Estimated global damage (billions)
2021 Social Engineering Training Manual
October 11, 2021 10
The Dangers of Social Engineering
Social Engineers are limited only by their imagination; therefore, the possibilities are endless.
2021 Social Engineering Training Manual
October 11, 2021 11
What is Phishing?
Characteristics of Phishing Attacks
Use email or pop-ups.
Appear to be from a legitimate source.
Request personal or sensitive information.
Claim you must update or validate the information.
Typically threaten dire consequences.
Often contain spelling or grammatical errors
Could ask you to download a file.
Could direct you to a website that looks real.
Phishing is one type of social engineering that uses legitimate-
looking email or websites to trick you into disclosing sensitive
information.
The objective is to steal your identity for financial gain, to commit
crimes in your name, or access your organization’s computer
system.
Phishing can occur on the user side or server-side.
Keep in mind phishing = to fish. What can I catch?
2021 Social Engineering Training Manual
October 11, 2021 12
What happens with a Phishing attack?
How to spot a Phishing attack?
Clues for detecting Phishing emails
First, if you get the communication, but you don’t disclose
anything. Nothing will happen. This because phishing does
not install something on your system or cell phone.
If you disclose your information, the attacker can take
over your account and act as it will be you (identity theft).
It can lead to loss of data, money, or legal issues.
How to spot a phishing attack?
• Message or website is not well constructed.
• Text on email comes with some weird offerings
• Mail asks to type in your password to get access to the
attachment.
• Someone is asking for your account, personal, or
confidential information.
When you receive a suspicious email, check for the indicators of the email being a phishing
attempt:
• Contextual relevancy: Does the email directly concern you or is it unsolicited and unrelated
to your job functions?
• It claims to be urgent or threatens dire consequences.
• It requests an action from you: click, download, or login. Every time you receive an email
that asks you to click on a link or download an attachment, you should pause to evaluate its
validity.
• It requests to disclose personal or sensitive information.
2021 Social Engineering Training Manual
October 11, 2021 13
How to check Phishing emails?
The “From” field is from an unknown or non-verifiable address.
The ‘To’ field is not addressed directly to you, is empty, includes
random addresses or non-verifiable aliases.
It provides a link with an IP address, a link that does not match
its description when the mouse is positioned on top of it, or it
contains an unusual spelling.
The name, title and phone number of the sender are not
provided or are non-verifiable.
Example of a suspicious email:
Re: JOB OFFER *** Urgent Response Needed
From: Chuck McDonald (Lado@withkor.com)
To:
Work and Earn $400 to $500 weekly!
Sunjing Textiles Import & Export Corp Ltd. is A partner of choice for leading global brands in
textile manufacturing.we are looking for reputable people across the UNITED STATE,
UNITED KINGDOM AND EUROPE who will work for us as a payment receiving personnel and
serves as our representatives in there area.
DUTY: The payment receiving personnel receives payments from our customers located
within their business area ( CITY,STATE,). He/she will report directly to the payments office
via email, telephone or fax.
NOTE: This Job is a part- time Job and has been designed in such a way that it does not
affect your regular daily work.
EMPLOYMENT FORM(FILL WITH CORRECT AND COMPLETE INFO)
Please click here to fill out the Job Application.
2021 Social Engineering Training Manual
October 11, 2021 14
This is an example of a typical e-mail that should be treated with suspicion. Let’s apply the indicators provided before to help determine whether it is legitimate: . All the checks above indicate that this is a classic example of a phishing attempt. But the biggest clue of all should come from common sense. This email offers a part time job that pays up to $500 per week, in combination with your regular daily work. As common sense would indicate: “If it sounds too good to be true, it probably is”.
This is an unsolicited email, since you have not contacted this company directly requesting a job.
First
It claims to be “Urgent”. This is often done to get you to answer it quickly without thinking.
Second
It requests an action from you: “Please click here to fill out the Job Application”
Third
It requests personal and sensitive information: Your name, address, phone number, your current employer, position, and what type of computer equipment you use for your current job.
Fourth
The sender is someone that you don’t know, the name does not coincide with the email address next to it, and you have no way of verifying whether this email address is valid at all.
Fifth
It is not addressed directly to your email address; the recipient is left blank. Criminals who send out phishing scams send out millions of messages to randomly generated email addresses with the hope that someone will fall for it.
Sixth
The link provided is not an IP address, but when you place your mouse pointer on top of it without clicking, it displays a link that does not match the supposed company name of Sunjing Textiles Import & Export Corp, as seen in this example.
Seventh
The sender provides a name and title, but since it is from a third party you don’t have a way to verify the validity of it.
Eight
2021 Social Engineering Training Manual
October 11, 2021 15
Another example of a legitimate-looking Phishing email
This second email is an example of a legitimate-looking e-mail that is a phishing scam. Let’s review the clues that could indicate to you that this email should be treated with caution. We’ll apply the same checklist we applied to the email we reviewed before:
If you receive an email such as the one we just reviewed, what should you do?
JUST DELETE IT
This email might or might not concern you. You are a TracFone employee, but you do not necessarily have the obligation to test a portal that has not been officially released.
First
2021 Social Engineering Training Manual
October 11, 2021 16
The email does not claim the action required to be urgent, but still appeals to people’s natural desire to be helpful.
Second
It requests an action from you: “Simply click that link and login to the Portal”.As we said before, every time you receive an email that asks you to click on a link or download an attachment, you should pause to evaluate its validity.
Third
It asks you to disclose sensitive information: it says you will need to login to the portal, which implies providing your credentials.
Fourth
It asks you to disclose sensitive information: it says you will need to login to the portal, which implies providing your credentials.
Fifth
The sender’s address is a valid TracFone email: “support@tracfone.com”. This email address does exist at TracFone, and you can verify that by checking the address book in outlook. But consider that it is a very common and easily guessable address. A hacker could have used this address since there is a good chance that the ‘support’ alias exists in most organizations. Other accounts that commonly exist in most organizations are service@, usersupport@, helpdesk@, operations@, etc.
Sixth
The link provided is an IP address instead of the name of a website (URL). Commonly, emails requesting you to click on a link will provide a domain name instead of a numeric address. This is mostly to provide ease of use, since it is typically easier for people to remember a name than a group of numbers. But in this case, the effort of registering a false domain name that would be close enough to the real one not to raise suspicion would have taken extra effort from the hacker. If you have knowledge of TracFone’s IP address ranges, you might notice that this is not an internal TracFone IP address. Since most TracFone users are not familiar with our range of IP addresses, making that judgment by looking at the IP alone may not be possible. More technical savvy users could check the IP address provided in one of the free Internet lookup services, such as ‘ip-lookup.net’ or ‘whois.net’. By doing this, they will realize that the IP address provided does not belong to TracFone. Still, this would not be definitive proof of the email being a phishing email, as we do sometimes work with third party sites.
Seventh
2021 Social Engineering Training Manual
October 11, 2021 17
The sender's signature is generic. There is no name, title, or phone number to call for verification. It only says “TracFone Support Team”. This makes it difficult for the receiver to identify who to contact to verify the email.
Eight
Most of the checks from our list apply to this email. So, if you receive an
email such as the one we just reviewed, what should you do?
If you think the actions is being requested is important and you don’t want to ignore it by deleting the mail, contact the person or department sending the email over the phone to verify its authenticity. In any case, do not click the link until you have verified its validity with the sender. Do not click on any link that will download a file to your computer without first making sure that you can trust the source. If you are not able to validate the authenticity of an email like this, just delete it.
JUST DELETE IT
2021 Social Engineering Training Manual
October 11, 2021 18
What is Vishing?
What happens in a vishing attack?
Like phishing or smishing, vishing relies on convincing victims to do the right thing by responding to the caller. Often the caller will pretend to be calling from the government, tax department, police, or the victim’s bank.
Cybercriminals use threats and clear language to make victims feel as though they have no other option than to provide the information being asked of them. Some cybercriminals use solid and forceful language, and others suggest they are helping the victim to avoid criminal charges. A second and common tactic is to leave threatening voicemails that tell the recipient to call back immediately, or they risk being arrested, having bank accounts shut down, or worse.
A Hacker can be acting as a legit customer to steal information or take over customer information.
Remember, if you don’t provide anything, hacker won’t affect you.
Vishing is a Phishing made by voice, a voice scam. Just like phishing, vishing tries to collect personal/private information via voice call. It can be the most common type of attack we can suffer at the call center.
2021 Social Engineering Training Manual
October 11, 2021 19
How to spot vishing attack?
A red flag is any call where the caller asks for information on the account more than provide information.
If a caller claims to be the account owner, but there’s no way of proving it.
If a caller claims to be your bank asking for your card info and Pin.
If you get a call claiming to be your government and asking for your ID number or any other personal information.
Keep in mind that this can affect if you are a chat agent or mail user.
What is Ransomware?
Ransomware is malicious software (program). It infects your system via a download, email attachment, or even illegal videos (movie download). Once inside your system, the program will take possession of all your files, like word, excel and make them impossible to use unless you pay the RANSOME.
2021 Social Engineering Training Manual
October 11, 2021 20
How to prevent Ransomware?
Never click on unsafe links: Avoid clicking on links in spam messages or on unknown
websites; yes! It includes free movies websites. If you click on malicious links, an automatic
download could be started, which could lead to your computer being infected.
Avoid disclosing personal information: Remember what you have learned on Phishing and
Vishing. Do not reply if you receive a call, text message, or email from an untrusted source
requesting personal information. Any information can be used later to “tailor the attack.”
Do not open suspicious email attachments: Ransomware can also find its way to your device
through email attachments. It is the same as using unsafe sites.
Never use unknown USB sticks: Never connect USB sticks or other storage media to your
computer from someone you do not know. Ransomware can reside there.
Keep your programs and operating system up to date: Regularly updating operating systems
programs and antivirus.
Use only known download sources: Never download software or media files from unknown sites
to minimize the risk of downloading ransomware.
Use VPN services on public Wi-Fi networks: The use of public Wi-Fi networks is a sensible protective measure against ransomware. When using a public Wi-Fi network, your computer is more vulnerable to attacks because anyone can use the same network and exploit your system weaknesses. If you use VPN, then all traffic is secure and encrypted.
2021 Social Engineering Training Manual
October 11, 2021 21
What is Electronic Identity Theft?
• Act or pretend to be a third party without authorization. It happens when the hacker retrieves
information from the targeted victim.
• Overall, this is stealing your digital persona.
How to protect Electronic Identity theft?
If you are the end-user, use all that you have learned to prevent Phishing and vishing:
▪ Do not provide passwords, security questions, or usernames if the authentication process is not correct.
▪ Always make sure to use the actual website. Type your bank website address, do not click on links received via mail.
If you are the one assisting the customer:
▪ Never provide personal Information; remember the customer is the one that must identify himself.
▪ Keep in mind to be polite and do not crack to caller pressure. In the end by protecting customer’s account, you are helping him.
2021 Social Engineering Training Manual
October 11, 2021 22
What are the possible information leaks?
What should you do?
Customer information
Your account information
VPN connection set-up
Emails that are not needed to assist customer
Account Information
Always follow the security Guidelines. Remember, if you own the account, you know yourself.
Use direct website. Never provide more than what is needed.
Change password. Contact your provider or your supervisor.
Never provide information if something seems to be wrong. Remember, you are in control.
Never provide personal information.
2021 Social Engineering Training Manual
October 11, 2021 23
Who are you helping?
You are responsible for whatever happens to your access. Always remind yourself of the Workstation and
Password Usage Policy.
Keep in mind that Social Engineering is a way to steal information.
If you keep the information safe, you help everyone not criminals.
If you keep the customer information safe, you protect Tracfone. You protect yourself.
You are responsible for calling the helpdesk to have your password reset should you revoke
your access. You will be required to provide your ID and your unique PIN to have your access
reinstated. You will only contact the helpdesk to reset your password. Under no
circumstances will you ever call on behalf of another customer service representative or
staff.
Your credentials identify you to the system. The computer system tracks all entries that are
made by the person who makes them. If anyone uses your password that results in errors or
fraud, you will be held accountable for such action.
These rules are critical. Any employee who willfully disregards these rules and
regulations is subject to discipline, up to and including removal from the TracFone
account service representative or staff.
Furthermore, you also agree to help safeguard the privacy expectations of all TracFone
Wireless customers by exercising diligence and care in the handling of confidential
information relating to the customer.
2021 Social Engineering Training Manual
October 11, 2021 24
Social Engineering at the Workplace Here are some of the Social Engineering attacks that may happen at the workplace.
A caller claiming to be a customer starts to make a conversation but suddenly asks for information such as a PIN. A caller claiming to be a customer requests a sim swap or account update but cannot identify his identity. A caller claiming to be a customer asks for a PIN, address, last four (4) digits of the credit card, or
more information without providing anything to identify himself as the owner.
A caller claiming to be a customer asks for passwords and other information for the My Account
app.
Real customers are glad to hear about the security process. Hackers will try to avoid this and
sometimes threatens to report to someone.
Whom should you contact in case you suspect you are a victim of Social Engineering?
Contact any authority from the operations floor. Make sure to keep key details:
✓ Date and Time ✓ Account number/MIN ✓ An Inquiry made based on the interaction ✓ Phone number or name of the person that made the call ✓ Was the transaction processed? ✓ Brief description of what happened and why you believe it is suspicious
Dos and Don’ts
▪ Follow Security Guidelines and
Account verification
▪ Always take care of your personal
information
▪ Never share passwords, Security
Questions, or PINs
▪ Remember, the customer knows the
information.
▪ Provide Pin Numbers or personal
information
▪ Let hackers push you. If you're the
customer, make sure that calls are
legit.
2021 Social Engineering Training Manual
October 11, 2021 25
Summary
Terms and Definition
• Social Engineering attacks users.
• If the hacker gets enough information, he can act as if it were you.
• Always follow the security guidelines
• Never share your passwords
• Never give access to your system
• Never provide confidential information
A technique of manipulating or tricking people, so they reveal confidential information.
A social engineering technique where the attacker contacts victim tries to get sensitive information provided by the victim voluntarily.
A Phishing made by voice, a voice scam. Just like phishing, vishing tries to collect personal/private information via voice call.
A malicious software (program). It infects your system via a download, email attachment, or even illegal videos (movie download).
Electronic Identify Theft
Act or pretend to be a third party without authorization. It happens when the hacker
retrieves information from the targeted victim.
Ransomware
Vishing
Phishing
Social Engineering
top related