SOCIAL ENGINEERING TRAINING MANUAL

SOCIAL

ENGINEERING

TRAINING

MANUAL

2021 Social Engineering Training Manual

October 11, 2021 1

Table of Contents Introduction ................................................................................................................................................................................................ 2

Objectives.................................................................................................................................................................................................... 2

What is Social Engineering? ....................................................................................................................................................................... 3

How does Social Engineering work? .................................................................................................................................................... 3

What are they looking for? ................................................................................................................................................................... 4

Why talk about Social Engineering?..................................................................................................................................................... 4

Foundations of Social Engineering Attacks ............................................................................................................................................... 5

3 Critical Success Factors ........................................................................................................................................................................... 7

Types of Attacks and Real-world Examples .............................................................................................................................................. 8

Social Engineering Statistics....................................................................................................................................................................... 9

The Dangers of Social Engineering .......................................................................................................................................................... 10

What is Phishing? ..................................................................................................................................................................................... 11

Characteristics of Phishing Attacks .................................................................................................................................................... 11

What happens with a Phishing attack?.............................................................................................................................................. 12

How to spot a Phishing attack? .......................................................................................................................................................... 12

Clues for detecting Phishing emails ................................................................................................................................................... 12

How to check Phishing emails? .......................................................................................................................................................... 13

What is Vishing? ....................................................................................................................................................................................... 18

What happens in a vishing attack? .................................................................................................................................................... 18

How to spot vishing attack? ............................................................................................................................................................... 19

What is Ransomware? ............................................................................................................................................................................. 19

How to prevent Ransomware?........................................................................................................................................................... 20

What is Electronic Identity Theft? ........................................................................................................................................................... 21

How to protect Electronic Identity theft? ......................................................................................................................................... 21

What are the possible information leaks? ........................................................................................................................................ 22

What should you do? .......................................................................................................................................................................... 22

Who are you helping? ......................................................................................................................................................................... 23

Social Engineering at the Workplace ...................................................................................................................................................... 24

Whom should you contact in case you suspect you are a victim of Social Engineering? .............................................................. 24

Dos and Don’ts .................................................................................................................................................................................... 24

Summary ................................................................................................................................................................................................... 25

Terms and Definition ................................................................................................................................................................................ 25


October 11, 2021 2

Introduction This training is conducted to:

Prepare you to defend and combat possible social

engineering techniques and notice the improvements

needed in day-to-day operations.

Understand common types of attacks, their

foundations, and the factors that make them

successful

Create awareness on what social engineering attacks

look like and how you can avoid becoming victims or

sources of these attacks.

Objectives Upon completion of this training, you will be able to:

Define what “Social Engineering” is, how they happen,

and why they happen

Identify the relevance of Social Engineering and how you can help to protect Tracfone’s assets as well as its customers and call center assets

Know who to contact in case of any issues or questions regarding Social Engineering

A very important note

Social Engineering may happen not only at the workplace but also in your

personal life. This possible attack is enough reason why you must take

this training seriously to prevent hackers from stealing your information.


October 11, 2021 3

What is Social Engineering?

Social Engineering is a technique of

manipulating or tricking people, so

they reveal confidential information.

How does Social Engineering work?

The data obtained is used to appear to

be the rightful person or organization

while gaining access to systems and

perform adverse actions.


October 11, 2021 4

What are they looking for?

The types of information can vary, but usually, these criminals will trick people into giving them their

passwords, bank information, or access to people’s computers to secretly install malicious software that will

provide them with access to people’s passwords and bank information.

Why talk about Social Engineering?

Social Engineering is a manipulation technique that takes advantage of human error, so a solid knowledge

base will help your brain function more effectively and smartly when these attacks happen.


October 11, 2021 5

Foundations of Social Engineering Attacks

These are the 5 Emotional Traits used in Social Engineering attacks.

Fear They may pose like a boss asking for updates on proprietary projects, the company is currently working on, or for payment information or pose as a legal authority soliciting input to produce objective evidence and testimony.

Greed They may fuel people’s selfish desire for more wealth and will email you that you won the lottery, or you are one of the first 50 persons to click on their website and to claim your “winnings.” You must provide personal information.


October 11, 2021 6

Curiosity They use schemes that will appear to have an amazingly great deal on classified sites, trending movies, or music, and knowing what they are, you will be asked to enter confidential information before you can download them.

Urgency Scammers want you to act first before you think. If the message conveys a sense of urgency or uses high-pressure sale tactics, be skeptical. Never let their speed influences your careful judgment. It only takes one click to compromise an entire network.

Helpfulness Attackers will prey on your kindness and generosity. They will tell you how to send money to the criminal because your friend is stuck in a country, robbed, and beaten, and you’re the only person they can contact.


October 11, 2021 7

3 Critical Success Factors

Many prefer comfort than security and therefore set up

passwords that favor convenience. Many use the same weak

passwords for all their online accounts,

including bank accounts, for they’re

simpler to remember.

Convenience

After obtaining the trust of their

unsuspecting victims, they exploit the relationship and

persuade victims to divulge more

information than they should by

mentioning names of prominent people in

the organization or may even brag about

authority in the organization.

Relationship

It is human to be trusting and

sometimes gullible. People want to help, especially

when the request seems reasonable,

while fraudsters understand

standard thought processes, habits,

and behaviors and have mastered the

art of manipulating these emotional

vulnerabilities.

Trust


October 11, 2021 8

Types of Attacks and Real-world Examples

Case #1: Microsoft database leaked because of employee negligence

What happened? At the end of December 2019, a security researcher discovered a publicly accessible Microsoft customer support database that contained 250 million entries accumulated over 14 years. The database included support cases and details, emails and IP addresses of customers, customers’ geographical locations, and notes made by Microsoft support agents. The database was publicly accessible for about a month. Microsoft secured it the same day the breach was reported.

Why did it happen? At the beginning of December 2019, Microsoft deployed a new version of Azure security rules. Microsoft employees misconfigured those rules and caused the accidental leak. Access to the database wasn’t protected with a password or two-factor authentication. Also, the company could have reduced the detection time significantly by monitoring user records and reviewing activity with sensitive assets.

Case #2: Marriott leaked data because of a compromised third-party app What happened? In January 2020, hackers abused a third-party application that Marriott used to provide guest services. The attackers gained access to 5.2 million records of Marriott guests. These records included contact information, gender, birthdays, loyalty account details, and personal preferences. Marriott’s security team noticed suspicious activity and sealed the insider-caused security breach at the end of February 2020.

Why did it happen? The attackers compromised the credentials of two Marriott employees to log in to one of the hotel chain's third-party applications. Marriott's cybersecurity systems didn't notice the suspicious activity of these employees' profiles for two months. Marriott could have detected the breach with third-party vendor monitoring and user and entity behavior analytics before hackers accessed clients' data.


October 11, 2021 9

Case #3: Twitter users scammed because of phished employees What happened? In July 2020, hackers gained access to 130 private and corporate Twitter accounts with at least a million followers. They used 45 of these accounts to promote a Bitcoin scam. The list of hacked accounts includes those of Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, Michael Bloomberg, Apple, Uber, and other notable individuals and companies. Why did it happen? Twitter employees became victims of a chain of spear phishing attacks. Hackers gathered information on company employees working from home, contacted them, introduced themselves as Twitter IT administrators, and asked for user credentials. Using these compromised accounts, the attackers then gained access to administrator tools. With these tools, they reset the accounts of famous Twitter users, changed their credentials, and tweeted scam messages. Twitter didn’t notice the suspicious activity in the admin tool until the scam messages were published and noticed by the press. Source: https://www.ekransystem.com/en/blog/real-life-examples-insider-threat-caused-breaches

Social Engineering Statistics

50% of cyber-attacks today target a

network and those connected via a supply

chain. Further, in 2018, supply chain

attacks increased by 78%.

Ransomware will continue to be the #1

threat.

92% of malware is delivered by email.

60% of breaches in 2019 involved

unpatched vulnerabilities

Cybercrime has increased by 600% since

the beginning of the global pandemic.

A 2020 report conducted by Sonatype

also found that supply chain attacks on

open-source software surged by 430%.

$8.00

$11.50

$20.50

2018 2019 2020

Estimated global damage (billions)


October 11, 2021 10

The Dangers of Social Engineering

Social Engineers are limited only by their imagination; therefore, the possibilities are endless.


October 11, 2021 11

What is Phishing?

Characteristics of Phishing Attacks

Use email or pop-ups.

Appear to be from a legitimate source.

Request personal or sensitive information.

Claim you must update or validate the information.

Typically threaten dire consequences.

Often contain spelling or grammatical errors

Could ask you to download a file.

Could direct you to a website that looks real.

Phishing is one type of social engineering that uses legitimate-

looking email or websites to trick you into disclosing sensitive

information.

The objective is to steal your identity for financial gain, to commit

crimes in your name, or access your organization’s computer

system.

Phishing can occur on the user side or server-side.

Keep in mind phishing = to fish. What can I catch?


October 11, 2021 12

What happens with a Phishing attack?

How to spot a Phishing attack?

Clues for detecting Phishing emails

First, if you get the communication, but you don’t disclose

anything. Nothing will happen. This because phishing does

not install something on your system or cell phone.

If you disclose your information, the attacker can take

over your account and act as it will be you (identity theft).

It can lead to loss of data, money, or legal issues.

How to spot a phishing attack?

• Message or website is not well constructed.

• Text on email comes with some weird offerings

• Mail asks to type in your password to get access to the

attachment.

• Someone is asking for your account, personal, or

confidential information.

When you receive a suspicious email, check for the indicators of the email being a phishing

attempt:

• Contextual relevancy: Does the email directly concern you or is it unsolicited and unrelated

to your job functions?

• It claims to be urgent or threatens dire consequences.

• It requests an action from you: click, download, or login. Every time you receive an email

that asks you to click on a link or download an attachment, you should pause to evaluate its

validity.

• It requests to disclose personal or sensitive information.


October 11, 2021 13

How to check Phishing emails?

The “From” field is from an unknown or non-verifiable address.

The ‘To’ field is not addressed directly to you, is empty, includes

random addresses or non-verifiable aliases.

It provides a link with an IP address, a link that does not match

its description when the mouse is positioned on top of it, or it

contains an unusual spelling.

The name, title and phone number of the sender are not

provided or are non-verifiable.

Example of a suspicious email:

Re: JOB OFFER *** Urgent Response Needed

From: Chuck McDonald ([email protected])

To:

Work and Earn $400 to $500 weekly!

Sunjing Textiles Import & Export Corp Ltd. is A partner of choice for leading global brands in

textile manufacturing.we are looking for reputable people across the UNITED STATE,

UNITED KINGDOM AND EUROPE who will work for us as a payment receiving personnel and

serves as our representatives in there area.

DUTY: The payment receiving personnel receives payments from our customers located

within their business area ( CITY,STATE,). He/she will report directly to the payments office

via email, telephone or fax.

NOTE: This Job is a part- time Job and has been designed in such a way that it does not

affect your regular daily work.

EMPLOYMENT FORM(FILL WITH CORRECT AND COMPLETE INFO)

Please click here to fill out the Job Application.

mailto:[email protected]


October 11, 2021 14

This is an example of a typical e-mail that should be treated with suspicion. Let’s apply the indicators provided before to help determine whether it is legitimate: . All the checks above indicate that this is a classic example of a phishing attempt. But the biggest clue of all should come from common sense. This email offers a part time job that pays up to $500 per week, in combination with your regular daily work. As common sense would indicate: “If it sounds too good to be true, it probably is”.

This is an unsolicited email, since you have not contacted this company directly requesting a job.

First

It claims to be “Urgent”. This is often done to get you to answer it quickly without thinking.

Second

It requests an action from you: “Please click here to fill out the Job Application”

Third

It requests personal and sensitive information: Your name, address, phone number, your current employer, position, and what type of computer equipment you use for your current job.

Fourth

The sender is someone that you don’t know, the name does not coincide with the email address next to it, and you have no way of verifying whether this email address is valid at all.

Fifth

It is not addressed directly to your email address; the recipient is left blank. Criminals who send out phishing scams send out millions of messages to randomly generated email addresses with the hope that someone will fall for it.

Sixth

The link provided is not an IP address, but when you place your mouse pointer on top of it without clicking, it displays a link that does not match the supposed company name of Sunjing Textiles Import & Export Corp, as seen in this example.

Seventh

The sender provides a name and title, but since it is from a third party you don’t have a way to verify the validity of it.

Eight


October 11, 2021 15

Another example of a legitimate-looking Phishing email

This second email is an example of a legitimate-looking e-mail that is a phishing scam. Let’s review the clues that could indicate to you that this email should be treated with caution. We’ll apply the same checklist we applied to the email we reviewed before:

If you receive an email such as the one we just reviewed, what should you do?

JUST DELETE IT

This email might or might not concern you. You are a TracFone employee, but you do not necessarily have the obligation to test a portal that has not been officially released.

First


October 11, 2021 16

The email does not claim the action required to be urgent, but still appeals to people’s natural desire to be helpful.

Second

It requests an action from you: “Simply click that link and login to the Portal”.As we said before, every time you receive an email that asks you to click on a link or download an attachment, you should pause to evaluate its validity.

Third

It asks you to disclose sensitive information: it says you will need to login to the portal, which implies providing your credentials.

Fourth

It asks you to disclose sensitive information: it says you will need to login to the portal, which implies providing your credentials.

Fifth

The sender’s address is a valid TracFone email: “[email protected]”. This email address does exist at TracFone, and you can verify that by checking the address book in outlook. But consider that it is a very common and easily guessable address. A hacker could have used this address since there is a good chance that the ‘support’ alias exists in most organizations. Other accounts that commonly exist in most organizations are service@, usersupport@, helpdesk@, operations@, etc.

Sixth

The link provided is an IP address instead of the name of a website (URL). Commonly, emails requesting you to click on a link will provide a domain name instead of a numeric address. This is mostly to provide ease of use, since it is typically easier for people to remember a name than a group of numbers. But in this case, the effort of registering a false domain name that would be close enough to the real one not to raise suspicion would have taken extra effort from the hacker. If you have knowledge of TracFone’s IP address ranges, you might notice that this is not an internal TracFone IP address. Since most TracFone users are not familiar with our range of IP addresses, making that judgment by looking at the IP alone may not be possible. More technical savvy users could check the IP address provided in one of the free Internet lookup services, such as ‘ip-lookup.net’ or ‘whois.net’. By doing this, they will realize that the IP address provided does not belong to TracFone. Still, this would not be definitive proof of the email being a phishing email, as we do sometimes work with third party sites.

Seventh


October 11, 2021 17

The sender's signature is generic. There is no name, title, or phone number to call for verification. It only says “TracFone Support Team”. This makes it difficult for the receiver to identify who to contact to verify the email.

Eight

Most of the checks from our list apply to this email. So, if you receive an

email such as the one we just reviewed, what should you do?

If you think the actions is being requested is important and you don’t want to ignore it by deleting the mail, contact the person or department sending the email over the phone to verify its authenticity. In any case, do not click the link until you have verified its validity with the sender. Do not click on any link that will download a file to your computer without first making sure that you can trust the source. If you are not able to validate the authenticity of an email like this, just delete it.

JUST DELETE IT


October 11, 2021 18

What is Vishing?

What happens in a vishing attack?

Like phishing or smishing, vishing relies on convincing victims to do the right thing by responding to the caller. Often the caller will pretend to be calling from the government, tax department, police, or the victim’s bank.

Cybercriminals use threats and clear language to make victims feel as though they have no other option than to provide the information being asked of them. Some cybercriminals use solid and forceful language, and others suggest they are helping the victim to avoid criminal charges. A second and common tactic is to leave threatening voicemails that tell the recipient to call back immediately, or they risk being arrested, having bank accounts shut down, or worse.

A Hacker can be acting as a legit customer to steal information or take over customer information.

Remember, if you don’t provide anything, hacker won’t affect you.

Vishing is a Phishing made by voice, a voice scam. Just like phishing, vishing tries to collect personal/private information via voice call. It can be the most common type of attack we can suffer at the call center.


October 11, 2021 19

How to spot vishing attack?

A red flag is any call where the caller asks for information on the account more than provide information.

If a caller claims to be the account owner, but there’s no way of proving it.

If a caller claims to be your bank asking for your card info and Pin.

If you get a call claiming to be your government and asking for your ID number or any other personal information.

Keep in mind that this can affect if you are a chat agent or mail user.

What is Ransomware?

Ransomware is malicious software (program). It infects your system via a download, email attachment, or even illegal videos (movie download). Once inside your system, the program will take possession of all your files, like word, excel and make them impossible to use unless you pay the RANSOME.


October 11, 2021 20

How to prevent Ransomware?

Never click on unsafe links: Avoid clicking on links in spam messages or on unknown

websites; yes! It includes free movies websites. If you click on malicious links, an automatic

download could be started, which could lead to your computer being infected.

Avoid disclosing personal information: Remember what you have learned on Phishing and

Vishing. Do not reply if you receive a call, text message, or email from an untrusted source

requesting personal information. Any information can be used later to “tailor the attack.”

Do not open suspicious email attachments: Ransomware can also find its way to your device

through email attachments. It is the same as using unsafe sites.

Never use unknown USB sticks: Never connect USB sticks or other storage media to your

computer from someone you do not know. Ransomware can reside there.

Keep your programs and operating system up to date: Regularly updating operating systems

programs and antivirus.

Use only known download sources: Never download software or media files from unknown sites

to minimize the risk of downloading ransomware.

Use VPN services on public Wi-Fi networks: The use of public Wi-Fi networks is a sensible protective measure against ransomware. When using a public Wi-Fi network, your computer is more vulnerable to attacks because anyone can use the same network and exploit your system weaknesses. If you use VPN, then all traffic is secure and encrypted.


October 11, 2021 21

What is Electronic Identity Theft?

• Act or pretend to be a third party without authorization. It happens when the hacker retrieves

information from the targeted victim.

• Overall, this is stealing your digital persona.

How to protect Electronic Identity theft?

If you are the end-user, use all that you have learned to prevent Phishing and vishing:

▪ Do not provide passwords, security questions, or usernames if the authentication process is not correct.

▪ Always make sure to use the actual website. Type your bank website address, do not click on links received via mail.

If you are the one assisting the customer:

▪ Never provide personal Information; remember the customer is the one that must identify himself.

▪ Keep in mind to be polite and do not crack to caller pressure. In the end by protecting customer’s account, you are helping him.


October 11, 2021 22

What are the possible information leaks?

What should you do?

Customer information

Your account information

VPN connection set-up

Emails that are not needed to assist customer

Account Information

Always follow the security Guidelines. Remember, if you own the account, you know yourself.

Use direct website. Never provide more than what is needed.

Change password. Contact your provider or your supervisor.

Never provide information if something seems to be wrong. Remember, you are in control.

Never provide personal information.


October 11, 2021 23

Who are you helping?

You are responsible for whatever happens to your access. Always remind yourself of the Workstation and

Password Usage Policy.

Keep in mind that Social Engineering is a way to steal information.

If you keep the information safe, you help everyone not criminals.

If you keep the customer information safe, you protect Tracfone. You protect yourself.

You are responsible for calling the helpdesk to have your password reset should you revoke

your access. You will be required to provide your ID and your unique PIN to have your access

reinstated. You will only contact the helpdesk to reset your password. Under no

circumstances will you ever call on behalf of another customer service representative or

staff.

Your credentials identify you to the system. The computer system tracks all entries that are

made by the person who makes them. If anyone uses your password that results in errors or

fraud, you will be held accountable for such action.

These rules are critical. Any employee who willfully disregards these rules and

regulations is subject to discipline, up to and including removal from the TracFone

account service representative or staff.

Furthermore, you also agree to help safeguard the privacy expectations of all TracFone

Wireless customers by exercising diligence and care in the handling of confidential

information relating to the customer.


October 11, 2021 24

Social Engineering at the Workplace Here are some of the Social Engineering attacks that may happen at the workplace.

A caller claiming to be a customer starts to make a conversation but suddenly asks for information such as a PIN. A caller claiming to be a customer requests a sim swap or account update but cannot identify his identity. A caller claiming to be a customer asks for a PIN, address, last four (4) digits of the credit card, or

more information without providing anything to identify himself as the owner.

A caller claiming to be a customer asks for passwords and other information for the My Account

app.

Real customers are glad to hear about the security process. Hackers will try to avoid this and

sometimes threatens to report to someone.

Whom should you contact in case you suspect you are a victim of Social Engineering?

Contact any authority from the operations floor. Make sure to keep key details:

✓ Date and Time ✓ Account number/MIN ✓ An Inquiry made based on the interaction ✓ Phone number or name of the person that made the call ✓ Was the transaction processed? ✓ Brief description of what happened and why you believe it is suspicious

Dos and Don’ts

▪ Follow Security Guidelines and

Account verification

▪ Always take care of your personal

information

▪ Never share passwords, Security

Questions, or PINs

▪ Remember, the customer knows the

information.

▪ Provide Pin Numbers or personal

information

▪ Let hackers push you. If you're the

customer, make sure that calls are

legit.


October 11, 2021 25

Summary

Terms and Definition

• Social Engineering attacks users.

• If the hacker gets enough information, he can act as if it were you.

• Always follow the security guidelines

• Never share your passwords

• Never give access to your system

• Never provide confidential information

A technique of manipulating or tricking people, so they reveal confidential information.

A social engineering technique where the attacker contacts victim tries to get sensitive information provided by the victim voluntarily.

A Phishing made by voice, a voice scam. Just like phishing, vishing tries to collect personal/private information via voice call.

A malicious software (program). It infects your system via a download, email attachment, or even illegal videos (movie download).

Electronic Identify Theft

Act or pretend to be a third party without authorization. It happens when the hacker

retrieves information from the targeted victim.

Ransomware

Vishing

Phishing

Social Engineering

Date post:	04-Dec-2021
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

SOCIAL ENGINEERING TRAINING MANUAL

Documents