💬 true story... Social Engineering.
The question is not "Will you be hacked or not?", but "How quickly can you find out that you have already been hacked?!"
• It happens that one firm is hired to check the quality of work of another. When it comes to social engineering, this is a particularly relevant practice.
• The founder of The Security Awareness company, Wynn Schwartau, has been engaged in auditing for more than 25 years. They usually come to him for an expert assessment of the measures already taken to strengthen security. He was once asked to do this for a major financial institution in New York. The fact is that the bank's employees were just scared by previous auditors who found a ton of problems. For a whole month, the entire staff was instructed in intensive trainings. Employees have become real paranoids: they do not open suspicious emails, do not follow phishing links, do not pick up flash drives, do not disclose anything over the phone and strictly follow official instructions.
"Yes, these are perfect victims!" thought Schwartau and got to work. He copied a sample of the business letter header from the company's website, took some of the employees' regular mail addresses there, and learned the rest from reference books. Together with his assistants, Shvartau compiled about 1,200 personally addressed paper letters, printed them on homemade letterheads of the organization being checked and sent them in the old grandfather's way.
• Each letter stated that their company's reputation had recently suffered greatly due to the actions of individual employees who neglected basic security measures. The leadership cannot allow new punctures, so it is taking unprecedented measures.
• Then, to lull vigilance, a detailed plan followed with an abundance of technical terms that an office employee is unlikely to be able to understand. Then there was a standard request to inform about all suspicious actions. At the end of the letter, it was said that IT is now required to communicate with the IT department and the security service only through physical mail, since this is the only communication channel inaccessible to hackers.
• P.S: the specified address does not belong to the company, so that no one can calculate and intercept these letters. "We will put them in a securely guarded mailbox, which only the management and the security service will have access to," the letter said. — "Right now you should send your credentials so that we can check them manually and complete the system update." 30% of employees responded the very next day, specifying all their data in the letter. Not a single training helped them understand that even in the 21st century, a hacker can send a letter on paper.
• Conclusion: No matter how long and carefully the organization trains people, no matter what administrative and technical measures it takes, it will never reach 100% security. Any high safety indicators are only a temporary effect. People draw certain conclusions, become more cautious, but they cannot effectively resist the properties of their nature. Every time they are faced with the need to make an urgent decision, experiencing a thirst for easy money or fear of anything, they make themselves and their company vulnerable