In order to determine the information security awareness of the employees of the institution, a social engineering attack is carried out by using the scenarios determined jointly with the Customer. Social engineering tests are performed in different scenarios for people determined by the customer. The purpose of the scenario is to determine whether an outside attacker can gain unauthorized access with phishing attacks against the employees of the institution and whether it is possible to join the institution's local network from the outside.
Social Engineering test is conducted for employees in order to determine the level of awareness of the employees of the institution about information security and their resistance levels against social engineering. The scenarios determined and approved by the Information Security Team of the institution are applied in the test.
The scenario of 3 sample Social Engineering attacks against the employees of the Institution and the results of this scenario are explained in detail below.
Scenarios
The scenarios approved by the customer security team are listed below. Social engineering attacks carried out within these scenarios and the data obtained from these attacks are detailed separately.
Fake GSM Bill
In this scenario implemented within the scope of social engineering, fake e-mails were sent from the address “bill.com” as if they were coming from the GSM operator to the e-mail addresses obtained from the Customer security team. In the e-mail sent, invoices ranging from 205.00 TL to 405.00 TL were sent to the personnel. It has been tried to ensure that the personnel are suspicious of the high amount of invoice sent, click on the link sent in the e-mail and then go to download the invoice sample. For the personnel who clicked the link and downloaded the invoice, it was expected that the malicious software specially prepared for the institution would be run by the user instead of the invoice document. It is aimed to take over the computer management of the personnel running the file.
Fake HR page
In this scenario implemented within the scope of social engineering, fake e-mails were sent from the address "hr-example.com" as if they were from HR to the e-mail addresses obtained from the customer security team. In the e-mail sent, it was requested that the personnel apply for 2016 training in order to train themselves, to support them to acquire an attitude with the knowledge, skills and behaviors required by their job, to increase the overall efficiency of the institution by being trained with the awareness of efficiency and frugality, and to prepare for further duties. Users were expected to realize that the e-mail and the website were fake.
Fake Cargo Tracking
In this scenario implemented within the scope of social engineering, fake e-mails were sent from the address "x-cargotracking.com" as if they were from x cargo to the e-mail addresses obtained from the customer security team. In the e-mail sent, the personnel were told that he had a new cargo, that the cargo with a high invoice amount was delivered to the "A" branch, and the cargo invoice should be printed out and submitted to the branch. Users were expected to realize that the sent address and e-mail were fake, and that malicious software was sent instead of the cargo invoice.
The scenarios above are sample scenarios. Social engineering scenarios are prepared specifically for each institution and are developed for the employees and their needs.