Social Engineering Testing

By now, you have probably become calloused to the barrage of phony emails from banks and the dozens of other phishing and social engineering attacks we see on a daily basis. However, social engineering attacks are far more intricate than those phishing emails. 

Those emails are truly the bottom-of-the-bucket attempts by unsophisticated criminals.  But there are many other forms of social engineering attacks that are commonly being used to gain access to critical and valuable data.  Is your organization protected?

The Human Problem

The problem with good social engineering attacks is that they don’t seem like attacks.  Instead, they rely on human kindness, trust and the desire to please.  To the person being attacked, they seem like everyday types of situations – not criminal activity.

Consider these examples:

Social Engineering Example #1

A healthcare worker notices a USB key drive laying on a nursing station.  It has the hospital logo on it.  "Must have been left here by a doctor," they think to themselves.  So they plug it into their computer and open it up.

It looks empty to them, but what they don’t realize is that key just deposited code on that computer that will search the hard drive and any network drives it can find for any type of personal health information – social security numbers, credit card numbers, billing information, etc.  Anything it finds is sent over the internet to the criminal organization who left the USB drive at the nursing station earlier that day.

Social Engineering Example #2

An employee at a multi-office banking instituion receives a phone call from someone identifying themselves as "Pete from IT".  "Pete" asks if they have had any problems with connectivity today and explains that they have been receiving calls from two of the other branches in the same area.  The employee indicates that they haven’t and Pete thanks them. 

Just as Pete is getting off the phone, he asks for the employee’s ID number for reporting purposes.  The employee thinks that makes sense and gladly hands over their employee ID.  "Pete" now uses that employee name and ID to steal that employee’s identity.

These are just two examples of actual social engineering attacks that have worked over the last twelve months.  Is your company at risk?  How can you be sure?  We can help.

Is Your Organization Susceptible to Social Engineering?

Our Social Engineering tests use creative approaches to evaluate whether your employees, partners or suppliers are susceptible to behavioral attacks.  We work with you to agree on a strategy and how the social engineering tests will be conducted.  We agree on a timeframe and we communicate early and often to keep you completely aware of how the social engineering test is progressing.

Upon completion, we deliver you a report which documents all details of our activities, areas of vulnerability, and recommendations for employee awareness training and any technology solutions that might help.

It is a sad state of our world that this type of service is necessary.  We take no pleasure in exposing these weaknesses.  But we also recognize that if we don’t help our clients in this manner, they are far more likely to fall victim to the real social engineers.  Please don’t let that happen to you.

Contact us today to start discussing how we can help you evaluate your behavioral security preparedness.

I trust them. They don't benefit financially from the advice they give, so I know the best interests of my company are upheld. They also don't hold me hostage to a contract so they need to earn my business every month. LB