U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Breadcrumb

(OUO)-Independent Evaluation of NRC’s Potential Compromise of Systems (Social Engineering)

Report Information

Date Issued
Report Number
OIG-20-A-09
Report Type
Inspection / Evaluation
Joint Report
No
Agency Wide
Yes (agency-wide)
Questioned Costs
$0
Funds for Better Use
$0

Recommendations

Verify or update training for all staff to include awareness for:
A. Observing the incoming caller ID.
B. Questioning the caller’s intent, (e.g., why they are asking for personal information, such as, PIV card information).

Inform NRC staff that they will be tested periodically for their awareness.

Within the next year, perform follow-on telephone tests to gauge the efficacy of the updated training.

Verify or update training for all staff to include awareness and response protocol for:
A. Common email “red flag” issues, such as, misspellings from domains that are outside of the .gov environment.
B. Emails that ask for personal information, such as, a username or password.
C. Unsolicited emails from unknown senders that include embedded links.

Verify or update training on Social Engineering techniques including:
A. Influencing techniques.
B. Emails that attempt to trigger an immediate response.
C. Emails that attempt to project power or authority.
D. Emails from “like” groups (e.g., a common user group, car club, church, etc.).