January 29, 2016

We have just completed a Social Engineering Assessment for one of our U.S. clients. The first one in 2016. The company (a strong well established medium sized business) did a lot of Penetration Testing audits over the years and also a Spear Phishing Test already but they have never undergone a Social Engineering audit.

So they have engaged us asking to pay special attention on whether employees would give out usernames and passwords if social engineered. The results were shocking. Not because users fell for classic social engineering techniques (like claiming to be the IT Dept. or posing as a manager or trusted 3rd party). No it was far worse. Employees were asked by email and in person to give out usernames and passwords in return for something. For the new hires and junior members as $50 Amazon gift voucher did the trick in 7 out of 10 cases.

The classic email phishing was very successful. Claiming to be a manager, people seem to have no problem sending their Active Directory login by email or even via LinkedIn message. Out of 500 phishing emails, more than 400 were successfully answered by employees with username/password pairs.

The best IT Security doesn’t protect anything if employees happily hand it out.

It’s shocking. If we, with the permission of the client get such high results, imagine what a determined competitor or hacking group could do? Security policies are there for a reason. People wouldn’t put their car keys into an envelope and send it to an alleged address of a co-worker? Why people still don’t understand that a username/password is as valuable as the keys to all office buildings?

A lot of training and education is still needed in this field…