"Human factor" attacks (known as “Social Engineering”) have evolved in the last few years from sending spam e-mails with poor wording and simplistic graphics to sophisticated phishing attacks, which often constitute a major part of targeted attacks such as APT (Advanced Persistent Threat).

However, the principle of operation remains the same - exploiting lack of data security awareness among the organization’s employees which can be used by an attacker to bypass computer networks protection systems.

A phishing email containing attractive and contemporary content including links to a catalog in PDF format which features special vacations and discounted smartphones offers was designed as part of an assessment carried out at one of our clients, a high-tech firm with global deployment.

Four hours after this phishing message was sent in an organizational wide distribution, we recorded open an rate of more than forty percent (40%) of the total recipients, about 3 times on average by each of them. The links embedded into the message body were accessed 2.5 times on average by each user. In addition, a number of employees sent a complaint email to a fabricated Gmail mailbox requesting a proper catalog. In a real life scenario, each of these actions (opening the e-mail, clicking the embedded links or responding with a complaint) could have been used by unwanted parties to gain access into the employee’s computer or account.

The results of this audit provided insight regarding the potential exposure of the organization's critical information assets by exploiting its employees using one of the most common information exchange tools (e-mail). The audit demonstrated gaps both in the infrastructure (e-mail filtering system efficiency and End Point Security) and in the users behaviour (awareness, Helpdesk’s working procedures, etc.). At the end of this audit, another mail was sent, containing educational messages designed to improve employees data security awareness in general and in the context of using the corporate e-mail in a secure manner. The audit became the "talk of the day" among the employees serving its long term educational value resulting from its personal experience nature.

IPV Security experts tailor each Social Engineering audit so that it will fit the organization target population in full cooperation with the customer’s contacts. Here are some available customization options:

• Drafting an inviting and attractive content (in Hebrew or English)
• Use of pseudo malicious code in the phishing e-mail
• Orchestration of a fabricated identification portal for user/password theft
• Draft of awareness messages
• And more