COVID-19 has impacted all of us in some form. For social engineers and I, COVID-19 impacted the way we perform social engineering assessments. In this talk I will discuss how my social engineering assessments were impacted with the rise of COVID-19, how my pretexts were modified to focus on COVID-19 (in an ethical manner), and what I learned from them.

With the mandatory (and life changing) switch to remote work. Employees more than ever began to rely on both emails and their phones as a means for communication. This introduced a gigantic opportunity for attackers to target the weakest link of an organization, the employee. This also meant that to stay current and up to date with the latest attacks, many social engineers, including myself tailored their campaigns to include COVID-19 as a pretext. This also meant that employees were significantly more likely to engage with my emails or phone calls because it became ‘the norm’. Furthermore, several of the employees I called were so thankful just to speak to someone that they were more than willing to ‘assist me with my technical issues’. In the body of the talk, I want to present multiple pretexts, results, and stories of my experiences from phishing and vishing through the pandemic to provide some insight as to how it introduced vulnerabilities to my clients.

COVID-19 has shone a light on many organizations security posture. More than ever, company’s need to be educating their users on cybersecurity threats and involving them with the security team. Security is a group effort, and it is our job as consultants, social engineers, and supports of the InfoSec community to educate those around us on social engineering attacks such as those demonstrated throughout my talk.