CASE STUDIES
A window into the range and effectiveness of WFF’s capabilities.
Due to the sensitive nature of much of our work, some of these case studies are anonymous.
FINANCIAL SERVICES
Client: A Financial Services Company
Using social engineering techniques, the team were able to open a trading account when working-from-home staff didn’t follow agreed security procedures. The WFF bespoke training session, delivered to over 500 staff, received extremely high levels of engagement and positive feedback.
Brief: The WFF brief was to rigorously test the company’s new client on-boarding process
Operation: This large company has hundreds of staff dealing with clients over the phone, from home. When onboarding new clients the staff are expected to run a number of checks in order to confirm their identity. The WFF operative attempted to open an account using a set of details from another person, sourced from the dark web. They were initially turned down. But the staff member gave away confidential information about why they were refused, making subsequent account opening easier. On the second attempt, the operative was able to successfully open an account. In addition to purely socially engineering, the team were able to create lookalike identity documents which fooled the document checking software.
Potential impact: The potential financial and reputational damage would have been huge. In addition, failure to comply is a breach of anti money laundering regulations and can result in significant fines.
Solution: WFF’s report contained detailed information which allowed the company to update their compliance procedures and identify issues with their document checking software. WFF also designed a staff training session to address the social engineering issues identified. A pre-training video in the form of a high-quality crime drama series and a questionnaire were sent to staff two weeks before the session. The training was delivered to over 500 staff and received extremely high levels of engagement and positive feedback. The pre-session video was viewed 759 times, meaning some people watched it more than once. Average attendance time online for the one-hour course was 60.94 minutes. 85.4% of respondents rated the quality of the course above 8 out of 10, while 88.7% or respondents rated the usefulness of the information 8, 9 or 10 out of 10.
FACILITIES MANAGEMENT
Client: A Company with a Large Facilities Estate
WFF identified vulnerabilities in front-desk staff routines and procedures. After reporting to the client, an attempt to enter the offices was successful. The team gained full unauthorised access, spending long periods of time in the offices, and finding serious data security lapses.
Brief: The client wanted to test the physical access to its offices across several locations.
Operation: This company has a number of offices in different locations. Each office has access to data which is protected behind highly sophisticated cyber security measures. They wanted to see how well their front desk staff protected access to the office and what the potential risk was if access to the office was gained. The WFF team observed all office locations for a number of days. They were able to identify vulnerabilities in front-desk staff routines and procedures. After reporting to the client, it was decided to attempt entry to the offices. The team used a variety of techniques. At each location, they were able to gain full unauthorised access, spending long periods of time in the offices, sometimes at night.
Potential impact: While in the offices, WFF conducted an audit on data security lapses. They found lists of passwords pinned next to computers, unsecured access and ID cards and confidential client data (including financial data) left unsecured on desks. This could have had huge financial and reputational implications for the client.
Solution: WFF provided an extensive, actionable report to the client. These systematic problems occur so often in many different businesses that WFF has since developed its Front of House staff training module.
ADVERTISING
Client: Dentsu advertising agency
The world’s largest advertising agency asked WFF to provide fraud awareness training for its UK staff over Christmas. WFF created ‘The 12 Frauds of Christmas’ masterclass, a session wich included an engaging series of short films with animation presented by its own ex-fraudster, Tony Sales dressed as Santa.
Brief: Develop fraud awareness training for Dentsu staff to help them stay safe personally and at work
Solution: WFF created the 12 Frauds of Christmas, an enjoyable one-hour session which combined the best anti-fraud information with humour, animation and Santa. Presented by WFF’s own ex-fraudster Tony Sales, a popular TV fraud prevention expert, and other top experts for a Q and A section. The session was recorded to be watched by staff who missed the original session and hosted on a dedicated web page. Short videos of key messages from the session were created as post-session content to reinforce messages. These were also made available on social media.
Outcome: Over 200 members of Dentsu staff were trained in the live session, while many more had access to the web-based content.
Potential impact: The training – which included phishing, fake charities and spoofed calls – helped Dentsu and its staff stay safe over the Christmas period and beyond.
Feedback: Course feedback revealed that of those surveyed:
- 49% had been victims of fraud with losses ranging between £15 – £4,000.
- 25% of those defrauded were not able to recover the money lost.
- 100% of respondents said that they would use the advice given within the fraud awareness training to protect themselves in future.
RETAIL
Client: A leading high-street retailer.
Brief: WWF was asked to test the physical and digital security surrounding their warehouse and HQ.
Operation: The WFF team rigged a car with cameras and left it in the warehouse carpark. It revealed a number of vulnerabilities.
Our digital testers set up a spoof Wi-Fi network in the lobby; several employees logged on revealing logins and passwords. They were able to intercept digital traffic on its way to the printer, view and alter confidential documents including invoices and shipping manifests. They could have gained access to CCTV to covertly monitor activities.
The physical team gained access to spare keys for delivery vehicles and drove off with three fully laden lorries. The fake manifests convinced security to allow them to exit the warehouse area in the stolen vehicles.
Potential impact: This company was at risk of physical and digital loss. They were aware of the risk of physical loss but had not understood how digital and physical vulnerabilities could be used together to create far greater risk. They also had undervalued the customer data they were holding.
Solutions: WFF’s recommendations included training and physical and digital security upgrades.
BANKING
Client: A significant financial institution.
The WFF team exposed a major vulnerability through a third-party software plug-in that compromised customer data. Social engineering techniques used on customer service teams working from home exposed inadequate due diligence and on-boarding procedures.
Brief: WFF was asked to test digital data security and call centre customer onboarding procedures
Operation: Within just a few hours, WFF’s digital team had found a major vulnerability in third-party software which allowed full access to the bank’s onboarding system back-end. This would have allowed the team to create accounts at will and steal customer details.
This critical vulnerability had been missed in a recent test by another provider.
The physical team elicited a wide range of useable, personal and corporate data, using social engineering techniques over a number of days. They were then approved to open personal and trading accounts, using either false, or no ID.
Potential impact: The bank was in danger of a major data breach (as are other banks using the same software plugin). The eagerness of onboarding staff to open accounts without adequate due diligence posed high levels of risk. This was compounded by poor ‘working remotely’ procedures. The bank was susceptible to money laundering activities and could have faced significant fines and penalties from financial service authorities.
Solutions: Our team provided a detailed report to the client so they could pass the vulnerability information on to the software vendor. WWF also provided a series of practical options for resolution.
WEALTH MANAGEMENT
Client: An investment company.
WFF successfully entered the client’s premises, accessed a £15m bank account and around 750k pieces of customer data. The estimated cost of contacting customers would have been £500k alone. Potential GDPR violations and reputational damage would have been catastrophic.
Brief: WWF was asked to test the physical security surrounding their data.
Operation: After several days of surveillance, Tony and his team discover multiple entry points into the investment company’s headquarters. They are able to access areas of the reception during the day by posing as workmen. They modify windows and allow themselves access at night, bypassing alarms.
By socially engineering the guard on reception over several days with false identities, they are able to get access to a key card which operates all locks in the building. Using the key card the team enters the office covertly at night. They find logins, passwords, IDs, confidential documents, unsecured confidential waste (which can be stolen without anyone noticing).
Outcome: The WFF team gained full access to a bank account containing a £15m balance and around 750k pieces of customer data.
Potential impact: This company was at severe risk of a major data breach. They estimated the cost of sending apology letters to customers at £500k alone. The potential GDPR violations and reputational damage from a breach is hard to calculate but can be catastrophic.
Solutions: WFF recommended a number of cost-effective solutions which would eliminate a significant amount of this risk. This included training, and recommendations of physical and digital security.