Challenge & further assistance

Let's get to work!

You are now familiar with the most important methods with which malicious parties try to infiltrate your organisation through the use of social engineering. Now it's time to test how well you can put this into practice!

On this page, you will find a fun and educational ‘challenge’ you and your colleagues can do together. With this challenge, you and your colleagues will gain insight into the degree of awareness about social engineering in your team/department, which can provide a useful starting point to have a discussion about this subject and perhaps to take additional security measures.

Good luck!


 

Challenge: What do you throw away?

Goal: to become aware of the degree to which others can easily find sensitive data such as personal data.

Participants: it is recommended that you only do this challenge with a limited number of employees, since all team members will eventually be allowed to view the contents of each other's ‘recycling bin’ and central rubbish bin. Sufficient trust must exist between team members to be able take on this challenge together.

Execution: In this challenge, you will work on discovering within one week how much personal information may be available to potential malicious parties via the physical rubbish bin.

To carry out this challenge, you should complete the following steps:

  1. Put together the team which will carry out this challenge, keeping in mind that participants will be allowed to view the contents of each other's rubbish bin after one week, as that is precisely what potential malicious parties who get hold of the waste/rubbish bin are able to do.
     
  2. Communicate the rules to all participating employees:

- For an entire week, we will see how much personal and sensitive information you all leave behind while working without necessarily being aware of it.

- Keep doing your work as far as possible as normal; in one week, you will hear what we are going do next.

  1. Without telling your fellow team members, as the team leader you will ensure someone collects the contents of the participants’ rubbish bins on a daily basis and stores these for each person at a secret location.
     
  2. At the end of the week, the team leader will collect all the rubbish from each of the participants and lay it out on the tables. Then, the participants will be allowed to come inside and each of them will choose a pile of rubbish. Not everyone, but only the manager will check the rubbish and speak about it in meta-terms. Definitely don't share any of the data you find.
     
  3. The participants will be given a set amount of time (e.g. 15 minutes) to go through a particular person's rubbish and collect as much sensitive information as possible. If possible, the information may immediately be used to log into a particular online application, and in so doing to demonstrate how something as simple as rubbish can lead to a considerable infringement and data breaches.
     
  4. The challenge will end with an evaluation discussion, in which the participants will share the information they found with each other and if possible will reach agreements for handling sensitive information more carefully, both online and offline.

 


All quick wins related to the principle 'Make sure you always know who you are dealing with' can be found in a handy list below:


Do you trust the message? This is the quickest check you can do; if you don't trust it, continue on with the following steps in order to verify whether the sender is legitimate. 


Did you expect to receive the message? If it does not make sense for the sender to send you the message (now), you should be extra vigilant.


Check the sender: By hovering over the link with your mouse, your browser will display the actual link to which the message refers. If the link is not right, definitely don't click on it.


Do not check the sender by replying to the email – phone:  them! Your reply will most likely be sent to the email address of the malicious party. Always verify the sender by telephone!


Private email addresses: Never reply to a colleague's private email address. Anyone can create every possible email address.


Phishing need not be digital: Social engineering attacks are also carried out by post, telephone or people who impersonate others. Be alert to any communication that seems suspicious.


Any other questions? If you have any other questions about phishing messages and what action you should take if you receive one, please contact [fill in contact details].