I work in corporate information security, and I have a few questions. The first is what email addresses these questions will go to. HR? Random employees? Both? The "Contact Us" address on their website? If it's going to random employees, how are you getting these email addresses to contact the employees? If I say to email John Smith, how do you know if the email address is john.smith@company.com or jsmith@company.com?
I like the idea behind this, I do. It's useful to know some insider information. But it's difficult to train employees not to respond to things that seem like social engineering. What I'm looking to know is, how can I be sure that the people I'm trying to help aren't giving away restricted information to anyone who asks? If I fill in the form and say "what kind of card access system does your company use", or maybe even something as innocuous as "does your company have a designated area for smokers to be outside?", this could be giving away a lot to a competent social engineer. I like the idea. But I'm also a bit concerned.
I like the idea behind this, I do. It's useful to know some insider information. But it's difficult to train employees not to respond to things that seem like social engineering. What I'm looking to know is, how can I be sure that the people I'm trying to help aren't giving away restricted information to anyone who asks? If I fill in the form and say "what kind of card access system does your company use", or maybe even something as innocuous as "does your company have a designated area for smokers to be outside?", this could be giving away a lot to a competent social engineer. I like the idea. But I'm also a bit concerned.