One I remember involved the celebrity Paris Hilton, who was known for appearing in public carrying her pet chihuahua Tinkerbell. Someone called her cell phone company, answered the security question (What’s your pet’s name?) and accessed her voicemail messages, which were then posted on the internet. In this case, the “social engineering” required someone to be foolish enough to use public information for the security question on her account.
That’s actually known as spear phishing. Spear phishing has the same goal as normal phishing, but the attacker first gathers information about the intended target. This information is used to personalize the spear-phishing attack.
Not quite phishing or traditional electronic social engineering, but still relying on human nature:
A colleague (who is a security expert who does penetration testing) told me of an attacker who used a drone to drop a USB drive inside a company’s perimeter fence (this detail was confirmed by CCTV after the fact) - dropping it near the picnic benches used by staff for their breaks.
The drive was picked up by a member of staff, who plugged it into their computer (probably initially to try to identify the owner) - the drive contained a document named “Management Salaries”, which piqued the curiosity of the staff member, who opened it- of course, the document was actually infected with a trojan.
Low blows are fine, in that real attackers will use any knowledge and any techniques they have access to in order to gain a foothold. What was questionable about what your company did is that they likely weren’t testing anything worth testing.
Unless there’s more to the story than you said, the only thing they proved is that you’ll click a link in an email sent from within the company which not only looks entirely reasonable, but demonstrates knowledge of non-publicized company practices. How does that tell them anything they didn’t already know? What the Hell was the point of that? If anything, they demonstrated a flaw in their email software: First, if a sender can send an email which apparently comes from inside the organization from outside the organization, the flaw isn’t in the minds of the recipients, the flaw is in the email system, and, second, if a sender inside the organization can spoof their from address, that’s also a flaw in the email system.
It’s like they’re testing to see if you lock your door, but they bring a crowbar and fail you if they’re able to break it open. They’ve tested the wrong thing.
Just remembered another one - a member of our finance team received a spoofed email purporting to be from the Managing Director, requesting an urgent transfer of money to a client via an unconventional route - the MD was travelling at the time, so the request seemed initially plausible - the detail that triggered suspicion was the signoff at the end of the message - it said ‘Have a great day!’ - not something the genuine individual is expected to have said.
I fell for an internal phishing test a few years back. I had been off work for a bit due to medical issues and received an apparent legitimate email from IT stating that my credentials needed to be verified.
“Please click this link and confirm your login credentials.”
I read this on my work Blackberry and, since I had been off work for a while, considered it to be a valid request. On a PC I would have hovered over the link to see where it was directed.
On a Blackberry I didn’t know how to do that, so I just went ahead only to get a “gotcha!” message from IT. Yeah thanks.
I just received this email, with a US Bank logo at the top:
It included this helpful advice:
And very helpfully, included a link:
Since I don’t bank at US Bank, I know this is not a valid threat. If I did bank there, I might be tempted to click on one of the links, all of which are bogus.