"Since people spend years building eBay feedback score or 'reputation,' people react quickly to this type of email. But, of course, it leads to a phishing site," said Shira Rubinoff, founder of Green Armor Solutions, a security software firm in Hackensack, New Jersey. "Many people use eBay, and users often bid days before a purchase is complete. So, it's not unreasonable for a person to think that he or she has forgotten about a bid they made a week prior."
Recent phishing lures even take advantage of the economic downturn, said Rubinoff. It has not been uncommon for fake emails to turn up that claim to be from human resources which say: 'You have been let go due to a layoff. If you wish to register for severance please register here,' and includes a malicious link.
No one wants to be the person that causes problems in this economy, so any email that appears to be from an employer will likely elicit a response, noted Rubinoff. Lares' Nickerson has also seen cons that use fake employer emails.
"It might say, 'In an effort to cut costs, we are sending W-2 forms electronically this year,'" said Nickerson.
How can I educate my employees to prevent social engineering?
Awareness is the number one defensive measure. Employees should be aware that social engineering exists and also aware of the tactics most commonly used.
Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Chris Nickerson's success posing as a technician is an example of a story that gets the message across in an interesting way. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is always who they say they are.
"In my educational sessions, I tell people you always need to be slightly paranoid and anal because you never really know what a person wants out of you," said Lifrieri. The targeting of employees "starts with the receptionist, the guard at the gate who is watching a parking lot. That's why training has to get to the staff."
Social engineering tricks are always evolving, and awareness training has to be kept fresh and up to date. For example, as social networking sites grow and evolve, so do the scams social engineers try to use there; see 5 Facebook, Twitter Scams to Avoid and 5 More Facebook, Twitter Scams to Avoid.
The National Cyber Security Alliance recently launched a 'Stop.Think. Connect.' campaign to get users to give more thought to their online behavior so they recognize social engineering cons before they get in trouble.
But it isn't just the average employee who needs to be aware of social engineering. A study conducted in 2010 found executives are actually the easiest targets. In Social engineering: 4 reasons why executives are the easiest targets Jayson Street, a security consultant and CIO of Stratagem 1 Solutions, says executives are soft targets for many reasons, including a lax security attitude and their tendency to use the latest technology—even before it is properly vetted.
Although it's a tactic to use with great caution, fear of embarrassment is a strong motivator. Nobody likes to look foolish, and a successful social engineering test does make the victim feel foolish. This is partly why storytelling works—the reader or listener feels empathy for the person who "got suckered."
Consider this factor if you choose to design an in-house social engineering penetration test. A little embarrassment will put everyone on their toes; crossing the line to humiliation will only make employees angry.
Are there any tools to help make this process more effective?
A number of vendors offer tools or services to help conduct social engineering exercises, and/or to build employee awareness via means such as posters and newsletters.
Also worth checking out is social-engineer.org's Social Engineering Toolkit, which is a free download.
The toolkit helps automate penetration testing via social engineering, including "spear-phishing attacks", creation of legitimate-looking websites, USB drive-based attacks, and more.
Here's much more information about social engineering, including lots of examples:
Sensitive information left lying around the office is an attractive target for anyone who gains unauthorized access to the building.
STORIES Social engineering stories
Tales from the front lines
Joan Goodchild tags along to watch a professional con artist in action
An inside look at how a small business got manipulated by a employee who turned out to be a con artist.
With confidence, a bluetooth headset and a lot of planning, Zug.com's John Hargrave (allegedly) sneaks into the Super Bowl to pull off a massive prank.