Social Engineering Testing Service
Social engineering testing, in the context of information security, means assessing whether people can be manipulated or tricked into taking actions or divulging confidential information. Because of this, it’s also known as ‘human hacking’.
Social engineering scams are designed to manipulate a user’s behaviour. The most successful attacks are those where the hacker plays on, and takes advantage of, what motivates the victim’s actions (e.g. fear).
The difference between a real attack and our testing service is that testing is done with the explicit written consent of the client and the purpose is to produce a comprehensive report and close down security holes before a real attacker can exploit them.
As of 2020, in 95% of all tests, we have managed to obtain sensitive information employing social engineering techniques.
The Benefits of Social Engineering Testing
- Even with the best IT security, employees can still be tricked into giving out sensitive information.
- We are able to find out if your employees would:
- Be able to identify scams that look as though they are sent from co-workers or management
- Be tricked over the phone, for example if an attacker impersonates law enforcement
- Download attachments or open them – unintentionally spreading ransomware
- Be aware of the type of threat they may face on a daily basis.
- If your organisation holds any customer information or confidential data, testing can give you peace of mind that employees can’t be tricked into compromising its safety
- A breach of data can not only be costly in terms of fines, but more damaging still can be the damage to your organisation’s reputation
- Pro-active security is a lot more cost effective than re-active security
We recommend that a full audit is completed at least once a year – ideally 2 to 4 times a year. The results should flow into a company Security Policy.
We recommend regular user education, which we can also provide in the form of online Cyber Awareness Training.
Social Engineering Testing
The Razorthorn Approach
We treat the testing as a real hacker would – we gather as much open source information on your organisation as possible prior to any engagement, through thorough online information gathering.
During a Social Engineering Test, we perform a wide range of computer and phone based tests, using a range of techniques used by real hackers.
Email campaigns by sending crafted emails, which seem to come from a superior and get the user to click a link or open an attachment. We also get employees to visit fake websites, which simulate infecting their machines or are used to “phish” credentials.
Our services can be bundled with Cyber Awareness Training.
Spear Phishing in conjunction with the simulated exploitation of the endpoint (optional).
Phone based social engineering incl. Caller ID and SMS spoofing along with Vishing exercises (Voice Phishing).