By Garrett Campbell, Information Security Analyst

Reflecting on the organizations that TraceSecurity tested over the past year, I noticed a trend among our clients who contracted us for onsite social engineering. When their employees received monthly cybersecurity trainings, they were much more likely to withstand my efforts to access their physical locations. When performing onsite social engineering engagements for medium to large size financial institutions, the ones with monthly training programs and a strong cybersecurity culture stopped me in my tracks every time.

Field Story

In one of the most recent onsite social engineering engagements performed, I spent about 30 to 45 minutes waiting to be authenticated by a supervisor at one of our client's branches. In order to disarm the two internal employees in the lobby with me, my intentions were to engage them in as much fun or non-work related conversation as possible whenever the lobby was clear.

We talked about the most recent holiday, my life on the road during the holidays as a contractor, and discussions about concerts. Toward the end of my visit, the tellers noticed how long I had been waiting and asked exactly what I needed to do. I casually told them what I was there for, that it wouldn’t take long, and I had already visited three other branches earlier today. Even though we had an established rapport, and knowing it would be a simple exception to their escort policies, the tellers still refrained from allowing me access. After failing to compromise their branch, I got back in touch with our point of contact and learned that they conduct monthly trainings for all employees. The tellers’ staunch refusal to allow me facility access is a testament to how successful their training program truly is.

Nuanced Monthly Training

Any organization with monthly training passed our onsite social engineering attempts in a similar fashion. Monthly training could be in the form of a luncheon, morning meeting, or monthly presentation from members of your IT or Compliance department. Onsite social engineering engagements are becoming more and more of a challenge with large organizations, due in large part to their commitment to ongoing training for all employees. From my perspective, this has been the key factor for success against social engineering in 2022.

For the aforementioned client, their regular procedures included annual security awareness training, monthly phishing testing with changing subjects, bi-weekly fraud-specific phishing exercises, and weekly security tips. Their CISO also mentioned a rather quick improvement to their testing performance once they began their monthly initiatives. They saw an overall improvement to performance on training and a stronger resistance to phishing testing.

A lot of their success can be attributed to their commitment to timely, curated phishing testing emails. For example, spoofing a nearby lunch spot or gas station will typically be a stronger test than that of a big chain store or random package delivery. Current events and cultural relevance go a long way when it comes to training initiatives.

Conclusion

In the security awareness training or onsite social engineering services that we performed this year, monthly training has been at the forefront of any successful engagement. The cybersecurity awareness culture at each of the organizations was noticeable each time. The diligence and creativity of making these programs engaging was impressive, and something that all organizations could benefit from.