Beguiled by festive mood: Social engineering simulation test

5 minutes reading

If you came to work and saw a Christmas party poster enticing you to scan a QR code to get a “thrilling surprise,” would you cheerfully reach for your phone? If so, you swallowed the bait. Read more about the case of one social engineering simulation – and find out why you should always be cautious, not only while sitting in front of a screen.

The threat of social engineering continues to worry businesses of all sizes. Instead of focusing on the weak spots in your software defence, social engineering techniques make use of an element that is much harder to influence positively, and that’s predestined to fail from time to time – the human factor.

To remain protected from this threat, companies encourage their employees to improve their attentiveness and cyber-awareness in many ways: educational seminars, newsletters, quizzes – or even social engineering simulations.

Unconventional party

That was the case at one unnamed company, which tested its employees with a festive trick.

“This year, we have decided to hold a Christmas party in an unconventional way. We have a special Christmas surprise for you! Just scan the code. But hurry – the number of participants is limited!"

Employees found posters with similar text on the outside of their office doors. While some scanned the code, thrilled to see what awaited them on the link, others were suspicious, and some even reported the posters to the IT department.

Overreacting? Not at all. In fact, it was the last group that responded correctly. The posters were, in fact, put up by the IT team to test the degree of the employees’ awareness regarding social engineering techniques. The poster contained several clues suggesting that while the text seemingly invites employees to a festive party, it is a prime example of QR code phishing. Can you guess some of the hints?

  • First, the text on the poster was highly generic, with no information on when or where the party should take place. This made it easier for many employees from different departments to get caught.
  • Second, there was a sense of urgency, one of the most common and well-known signs of social engineering. The poster was also found at a place where almost anyone could have put it. A potential attacker would not even have to get all the way into the office premises, just access a public part of the building relatively easy to accomplish.
  • Finally, some employees uncovered the trick when they saw that the QR code leads to a page named “Christmas-Party-Surprise,” which had nothing to do with their company and was, once again, suspiciously generic.

Given that many companies aim to educate their employees on social engineering techniques in detail, especially because they are one of the most common cybersecurity threats, how is it possible that numerous employees still took the bait?

One possible explanation is that while people nowadays are more attentive when receiving an email or seeing a link online, they are not as careful when encountering similar dangers in the offline world. They may know that social engineering threats come in many forms, but when confronted with them, they are too trusting for their own good.

That is also why QR code phishing has become increasingly popular among cybercriminals. In recent years, authorities have dealt with many similar scams, such as recent QR code phishing campaigns in Texas, where hackers distributed stickers around a parking lot, asking the drivers to simply scan the code and pay for the parking online. Some drivers followed the instructions and then filled in their banking information, falling victim to the scam.

Don’t scan the scam

How can you prevent your employees from falling for such criminal efforts? Education is key. Don’t limit your instructions to the most common types of social engineering attacks, but also include those that have been a rarity until recently. Encourage your employees always to remain attentive to possible cyber-dangers. If they come across a QR code, they should ask themselves these questions before scanning it:

    • Is the code placed in a public space?
    • Is there anything under the sticker? Possibly another legitimate code?
    • Is the code accompanied by any typical signs of social engineering, such as a sense of urgency or text that is too generic?
    • When pointing the lens at the code and seeing the website’s name, does the address seem legitimate? Does it lead to a site of the organisation that allegedly displayed the QR code?
    • If I was to receive the same text or QR code via an email, would it seem suspicious to me?
    • If the QR code is in the work area, can I verify its authenticity, for instance, with the HR or IT team?

If your employees learn to pause for a moment and think about the legitimacy of what they see, they are already one step closer to being secure.

Are you tempted to try a social engineering simulation on your own employees? If so, don’t punish or humiliate those who fail to recognise your trick, but use the results to find out more about your company's cybersecurity awareness level. Training via simulation should not be a stressful experience but an opportunity to make more improvements.

How about you? Would you uncover the trick?