In-house prevention

Beguiled by festive mood: Social engineering simulation test

5 Minutes reading

If you came to work and saw a Christmas party poster enticing you to scan a QR code to get a “thrilling surprise,” would you cheerfully reach for your phone? If so, you swallowed the bait. Read more about the case of one social engineering simulation – and find out why you should always be cautious, not only while sitting in front of a screen.

The threat of social engineering continues to worry businesses of all sizes. Instead of focusing on the weak spots in your software defence, social engineering techniques make use of an element that is much harder to positively influence and that’s predestined to fail from time to time – the human factor. To remain protected from this threat, companies encourage their employees to improve their attentiveness and cyber-awareness in many ways: educational seminars, newsletters, quizzes – or even social engineering simulations.

Unconventional party

That was the case at one unnamed company, which tested its employees with a festive trick.

“This year, we have decided to hold a Christmas party in an unconventional way. We have a special Christmas surprise for you! Just scan the code. But hurry – the number of participants is limited!"

Posters with similar text were found by employees on the outside of their office doors. While some scanned the code, thrilled to see what awaits them on the link, others were suspicious, and some even reported the posters to the IT department.

Overreacting? Not at all. In fact, it was the last group that responded correctly. The posters were, in fact, put up by the IT team to test the degree of the employees’ awareness regarding social engineering techniques. The poster contained several clues suggesting that while the text seemingly invites employees to a festive party, it is a prime example of QR code phishing. Can you guess some of the hints?

First, the text on the poster was highly generic, with no information on when or where the party should take place. This made it easier for many employees from different departments to get caught. Second, there was a sense of urgency, one of the most common and well-known signs of social engineering. The poster was also found at a place where almost anyone could have put it. A potential attacker would not even have to get all the way into the office premises, just access a public part of the building relatively easy to accomplish. Finally, some employees uncovered the trick when they saw that the QR code leads to a page named “Christmas-Party-Surprise,” which had nothing to do with their company, and which was, once again, suspiciously generic.

Given the fact that many companies aim at educating their employees on social engineering techniques in detail, especially because they are one of the most common cybersecurity threats, how is it possible that numerous employees still took the bait? One possible explanation is that while people nowadays are more attentive when receiving an email or seeing a link online, they are not as careful when they encounter similar dangers in the offline world. They may know that social engineering threats come in many forms, but when confronted with them, they are too trusting for their own good.

That is also why QR code phishing has become increasingly popular among cybercriminals. In recent years, authorities have dealt with many similar scams, such as recent QR code phishing campaigns in Texas, where hackers distributed stickers around a parking lot, asking the drivers to simply scan the code and pay for the parking online. Some drivers followed the instructions and then filled in their banking information, falling victim to the scam.

Don’t scan the scam

How can you prevent your employees from falling for such criminal efforts? Education is key. Don’t limit your instructions to the most common types of social engineering attacks, but include also those that have been a rarity until recently. Encourage your employees to always remain attentive to possible cyber-dangers. If they come across a QR code, they should ask themselves these questions before scanning it:

  • Is the code placed in a public space?
  • Is there anything under the sticker? Possibly another, legitimate code?
  • Is the code accompanied by any typical signs of social engineering, such as a sense of urgency or text that is too generic?
  • When pointing the lens at the code and seeing the name of the website, does the address seem legitimate? Does it lead to a site of the organization that has, allegedly, displayed the QR code?
  • If I was to receive the same text or QR code via an email, would it seem suspicious to me?
  • If the QR code is in the work area, can I verify its authenticity, for instance with the HR or IT team?

If your employees learn to pause for a moment and think about the legitimacy of what they see, they are already one step closer to being secure.

Are you tempted to try a social engineering simulation on your own employees? If so, don’t punish or humiliate those who fail to recognize your trick, but rather, use the results to find out more about the level of cybersecurity awareness at your company. Training via simulation should not be a stressful experience, but an opportunity to make more improvements.

How about you? Would you uncover the trick?