Abstract

Social engineering relies on human vulnerability to exploit system security. Social engineering attacks are relatively harder to protect against as they mainly target the user, and not just hardware or software system defenses. End user awareness can be considered as one of the simplest yet most effective ways to protect the end user against social engineering vectors. The present study ascertains the level of user susceptibility to social engineering attacks in a cooperating corporate organization. Two attack scenarios, a spear-phishing campaign and a physical intrusion vector were designed targeting the organization's user population (employees) based on publicly available information from the Internet. Clues relating to social engineering techniques were included in the attacks to alert suspicious users. Despite the revealing signs of a social engineering campaign, the results indicated that a significantly high proportion (46-60%) of the users fell prey and failed to identify the attacks. It was observed that lack of user awareness remained the primary cause of the success of the attacks, requiring corrective action through post-incident training and regular IT security drills.