Social Engineering Simulation Testing Tips
Do you know who is calling you? In many cases, employees rely on caller ID or a familiar name to allow callers to build trust and potentially exploit them. Vishing (or social engineering) is a practice where verbal communication is used to deceive a potential victim. Similar to phishing, the aim is to compel an individual to either provide information or take an action, which can be used for network penetration or identity theft. The problem is so pervasive, the IRS listed phone scams as number two on its list of Dirty Dozen threats. This trend is may not ease up soon. Financial Fraud Action UK noted in their 2017 Fraud the Facts report that there was a two percent increase in all fraud types in 2016 including themes involving impersonation and deception.
As this threat continues to grow, some organizations are integrating vishing simulation testing into their security awareness programs to build resistance to this threat among the population.
There are different approaches getting started.
Purchase: This can include either buying a script or an automated system that essentially rob calls employees to try to obtain information or convince them to take an action. Even though you can reach more targets with robo-calls, they may be less effective because they are not humans on the other end of the line. In addition, prewritten scripts may not be very adaptable to your organizations environment.
Build: This involves creating the framework, which includes developing the strategy, script and goals. Although time consuming and difficult to implement, it allows you the flexibility to build something specific to your organization. That is where the rest of this article is focused along with the phases of development and rollout.
Vishing campaigns need to be carefully crafted to ensure success. This requires planning and a basic understanding of the types of threats and the human reaction to strangers. Here are some elements to include in the strategy:
- Goal: What do you want the campaign to accomplish? Is there a specific outcome you want to measure? Has your organization been exposed to certain threats that you want to the population train on?
- Scenario: What is the topic that is going covered in the campaign? For example, the topic could be end of year asset audit or a software update.
- Main flag(s): What specific information or action should be captured in the campaign (e.g. employee name, employee number, MAC address, clicking on a URL)?
- Secondary Flags: This can be optional information collected depending on how the call goes and may or not be related to the scenario.
- Target: What team or department will be the focus?
When first starting out, keep the strategy simple. There will be a lot of lessons-learned and you can build complexity as you gain experience.
Developing the script
Similar to phishing, there are elements of the communication that will need to be developed and refined.
This can be in different forms but one option is the following:
- Introduction: This includes the greeting and helping the target understand who you are. Done correctly, this helps to put the target at ease so you can proceed to the next stage.
- Reason for Calling: A sense of authority is important. Provide background on why you are calling them. You can even allude to an existing business relationship. You can potentially start collecting some of the flags at this stage such as name and employee number.
- Ask: Here is where you start focusing on the flags to be collected. Once the target understands, who is calling them and why, it is time to gather as much information as possible. Examples include system information and hardware and software used at the company.
- Sense of urgency: Depending on the cooperation level of the target and the scenario, you may need to give a deadline for collecting the information you need. In some cases, the pressure can potentially lead to improved cooperation. Mentioning that you are calling about a technology audit could be a good fit.
- Conclusion: Having a decisive and positive end to the call is important. Thanking the target for the information helps alleviate their suspicion level whether they were cooperative or not.
Once again, simplicity rules the day.
Objections and responses
Brainstorm on potential positive and negative responses to the various stages of the call. You could get questions such as “what’s your name, again?” or “I am uncomfortable providing you the requested information.” Have believable responses ready in these cases. Also, objections can provide opportunities to collect flags. Let’s say that the target tells you that they will need to talk to their supervisor before providing any information. Ask the target their supervisor’s name, number and email address and offer to contact them directly.
Before executing the campaign, obtain buy-in from organizational stakeholders. This would commonly be the same (or similar) to the stakeholders who approve the phishing program. Potential stakeholders can be Information Security leadership, HR, Legal, Helpdesk, Compliance, Privacy and Corporate Security.
When starting out, a good target area is one that regularly interfaces with the employees or the public such as the helpdesk or customer service. The number you call from needs to be considered as well. The telephony team can assist with masking (spoofing) the originating number especially if it is from a conference room. Keep the sample size low, 15-20 since these calls can be time consuming and changes to the script may be need to be made depending on the responses.
Being able to measure the results of the program are critical to understanding the nature of the risks posed by social engineering to the organization and determining the effectiveness of the security awareness campaign messaging.
Types of metrics to collect during the campaign can includes:
- Time of Week/Day compromise rate to determine if certain days work better than others do.
- Compromise rate by month to identify trends.
- Compromise rate by department/team.
- Compromise by gender (female targeting female, female targeting men, men targeting men, men targeting women.)
- Persuasion methods most effective such as urgency vs. authority.
- Don’t overreach. Decide on a specific set of flags that coincide with the scenario, especially if you are new to the program.
- Be flexible. Calls typically don’t go the way they are planned and being ready for unexpected responses is helpful.
- In addition to creating the script, drafting a call flow chart can help visualize the campaign and identify potential issues or gaps.
After each campaign review what did and did not go well with the campaign. You may find that certain departments are more risk sensitive or certain scenarios are more believable than others are. The results can be used to tweak the program for continual improvement.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.