Advanced Governance & Compliance Updated on Jun 25, 2025

Awareness and social engineering — phishing, pretexting, vishing, and simulations

Social engineering is the art of manipulating people into performing actions or disclosing information that compromises security. No matter how hardened the systems are — if an employee can be deceived, the attacker gets in. According to the Verizon DBIR, more than 80% of breaches involve a human element.

Main Techniques

Phishing

A fraudulent email impersonating a legitimate sender to steal credentials, install malware, or trick the target into a financial transfer.

Variants:
- Spear phishing: specific target, personalized email using real data about the victim
- Whaling: target is C-level (CEO, CFO)
- Clone phishing: copy of a previous legitimate email with a replaced link

Common indicators:
- Look-alike domain: example-corp.com instead of examplecorp.com
- Artificial urgency: "your account will be locked in 24 hours"
- Link that doesn't match the displayed text (hover reveals a different URL)
- Unexpected attachment: .xlsx with macro, .pdf with embedded link

Pretexting

Creating a false scenario (pretext) to gain trust and extract information.

Example (fictional training environment):
An attacker calls Example Corp's help desk pretending to be
technician John from the Campinas branch. He requests a password
reset for a privileged account, claiming an "urgent lock before
a board meeting." Without identity verification, the help desk
resets it.

Countermeasure: a formal identity verification procedure before any credential reset, even for internal requests.

Vishing

Voice phishing — attack via phone call. The attacker impersonates tech support, a bank, a government agency, or a vendor.

Warning signs:
- Unsolicited call asking for credentials or an SMS code
- Pressure to act "right now" with no time to verify
- Refusal to provide a verifiable ticket or reference number
- Request for remote access (AnyDesk, TeamViewer)

Smishing and QR Phishing (Quishing)

Phishing via SMS or QR code. Quishing campaigns have grown with the rise of digital menus — users scan QR codes without questioning them.

Awareness Program

An effective program is not a 30-minute annual training session. It is continuous, measurable, and contextualized.

Structure

1. Baseline assessment
   └─ Unannounced phishing simulation → measures initial click rate

2. Modular training
   └─ 5-10 min micro-learnings per topic (phishing, passwords, BYOD, data)
   └─ Frequency: monthly or bi-monthly

3. Periodic simulations
   └─ Phishing simulation every 60-90 days
   └─ Vishing simulation 1-2x per year
   └─ Physical access tests (tailgating, USB drives left in parking lot)

4. Immediate feedback
   └─ Employee who clicks the simulated link → immediate educational screen
   └─ No punishment; focus on learning

5. Metrics and reporting
   └─ Click rate, report rate, time to report
   └─ Segmented by department, role, seniority

Maturity Metrics

Metric	Target
Simulation click rate	< 5%
Suspicious email report rate	> 70%
Average time to report	< 1 hour
Completed training coverage	100% of active employees

Acceptable Use Policy (AUP)

Link the awareness program to a clear AUP that defines:

What is permitted on corporate devices
How to report a suspicious email (a “Report Phishing” button in the email client)
Consequences of clicking real malicious links vs. confirmed negligence

Security culture does not grow from fear. It grows from awareness, practice, and positive reinforcement.