While the need for anti-phishing training is increasingly obvious, don’t overlook the value of broader social engineering training. Since phishing tactics are constantly evolving, teaching end users about the underlying social engineering principles can help them respond to the changing threat landscape.
The manipulation tactics in social engineering have long been used by scammers and con artists, and they can be adapted to take advantage of new methods and opportunities—with devastating results. After all, technology changes much faster than human psychology and social behaviors.
Social engineering’s focus on human blind spots is highlighted in a definition on TechTarget’s WhatIs.com:
Social engineering is an attack vector that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain. … Many social engineering exploits simply rely on people's willingness to be helpful.
For scammers, end users present an attractive target because compromising a person is generally less difficult than other methods, such as technical attacks on networks or software. As TechTarget notes, social engineering tactics are often “a first step in a larger campaign to infiltrate a system or network and steal sensitive data or disperse malware.”
HOW PREPARED ARE YOUR USERS?
As part of our most recent Beyond the Phish® report, we assessed end users’ understanding of common social engineering techniques and how to identify and avoid electronic, phone-based and in-person scams. The report explores employee knowledge of a broad range of best practices for cyber hygiene, security and compliance, analyzing data related to nearly 130 million cybersecurity questions answered by users over a 13-month span.
Our data revealed that end users missed 15% of questions about social engineering. While this result is relatively encouraging—the average error rate across all topic categories was 22%—there’s clearly room for improvement.
We also noticed a significant gap between how different industries performed on this topic. The Hospitality industry demonstrated the best understanding of social engineering, with just 11% of questions answered incorrectly. In contrast, users in the Education and Energy industries were the worst performers, at 18%. (Download the 2019 Beyond the Phish report for additional industry details.)
WHY SOCIAL ENGINEERING TRAINING?
Imagine you were taking a defensive driving course, and the instructor only taught you how to avoid a collision at a specific intersection. That training, no matter how rigorous, would have limited value compared to learning principles and tactics that could be applied to a variety of potentially dangerous situations.
Similarly, social engineering training helps prepare end users to defend against more than email-based phishing attacks. Cybercriminals frequently attempt to compromise users outside the inbox, via vishing (voice phishing), smishing (SMS/text phishing) and other stoical engineering attacks.
Kurt Wescoe, Chief Security Awareness Architect of Proofpoint Security Awareness Training, addresses the need for a broader training approach in a blog post: “The tactics that hit our inboxes—offers of rewards … time-based pressures … fear mongering—have the potential to be just as effective in an SMS or chat message as an email.” And let’s not forget that scammers often employ social engineering in person to talk their way past physical security defenses.
With so many potential attack vectors, end users need to have their wits about them. Rather than focusing narrowly on a few aspects of cyber hygiene, it makes sense to take a more comprehensive approach to social engineering training as part of your larger cybersecurity education initiatives. Let us help you build an effective, engaging security awareness training program that benefits your people and your organization.