You are now familiar with the most important methods with which malicious parties try to infiltrate your organisation through the use of social engineering. Now it's time to test how well you can put this into practice!
On this page, you will find a fun and educational ‘challenge’ you and your colleagues can do together. With this challenge, you and your colleagues will gain insight into the degree of awareness about social engineering in your team/department, which can provide a useful starting point to have a discussion about this subject and perhaps to take additional security measures.
Good luck!
Goal: to become aware of the degree to which others can easily find sensitive data such as personal data.
Participants: it is recommended that you only do this challenge with a limited number of employees, since all team members will eventually be allowed to view the contents of each other's ‘recycling bin’ and central rubbish bin. Sufficient trust must exist between team members to be able take on this challenge together.
Execution: In this challenge, you will work on discovering within one week how much personal information may be available to potential malicious parties via the physical rubbish bin.
To carry out this challenge, you should complete the following steps:
- For an entire week, we will see how much personal and sensitive information you all leave behind while working without necessarily being aware of it.
- Keep doing your work as far as possible as normal; in one week, you will hear what we are going do next.
All quick wins related to the principle 'Make sure you always know who you are dealing with' can be found in a handy list below:
Do you trust the message? This is the quickest check you can do; if you don't trust it, continue on with the following steps in order to verify whether the sender is legitimate.
Did you expect to receive the message? If it does not make sense for the sender to send you the message (now), you should be extra vigilant.
Check the sender: By hovering over the link with your mouse, your browser will display the actual link to which the message refers. If the link is not right, definitely don't click on it.
Do not check the sender by replying to the email – phone: them! Your reply will most likely be sent to the email address of the malicious party. Always verify the sender by telephone!
Private email addresses: Never reply to a colleague's private email address. Anyone can create every possible email address.
Phishing need not be digital: Social engineering attacks are also carried out by post, telephone or people who impersonate others. Be alert to any communication that seems suspicious.
Any other questions? If you have any other questions about phishing messages and what action you should take if you receive one, please contact [fill in contact details].