Better to experience once than be trained ten times
One company from the field of financial consulting needed to test their employees to see if they could handle cyber attacks. These employees had already passed several security trainings, and the test was intended to find out if these trainings were effective.
At AEC we prepared a three-step test using social engineering methods. It included sending the simulated malware via e-mail, attempts of eliciting sensitive information by phone and email, as well as the physical penetration of the selected localities along with planted simulated harmful code on data storage devices. The entire test took approximately two months.
We managed to get the prepared malware into the computers of 28% of the tested employees. Three out of four users gave us their login information over the phone during the first phase. The IT department reacted to this, not knowing about the testing, by warning others and blocking the line from which the attacker was calling. So the test's continuation was not successful. Regardless, several internal documents were gained via email from other users. It wasn't for nothing… it is said “better to experience once than be trained ten times”.