Get in Touch

SOCIAL ENGINEERING

Verify Your Security With a Penetration Test

OVERVIEW

What Is Social Engineering?

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems. Social engineering relies on manipulating individuals rather than hacking computer systems to penetrate a target’s account.

What Is A Remote Social Engineering Penetration Test?

Remote social engineering penetration testing validates the effectiveness of user security awareness, incident response, and network security controls such as malware defenses, local permissions, and egress protections. Performed under controlled conditions, a remote social engineering pen test involves issuing carefully crafted emails to lure users to fictitious “malicious” websites, attempts to compromise these users, escalate privileges, and penetrate the internal environment.

BENEFITS

Benefits Of Social Engineering Testing

Evaluates defences

Strengthens and challenges an organisation against by testing your organisation’s cyber security controls to ensure they are effective at identifying and blocking attacks.

Identifies risks posed

Understand how susceptible your employees are to falling foul of social engineering scams, such as spear phishing and Business Email Compromise attacks.

Enhances security training

Your employees are more likely to take security recommendations seriously if they experience simulated social engineering attacks. It also helps you zero in on specific areas of weakness and prioritize your response accordingly.

Reveals your information footprint

Learn what an attacker could glean about your organization and employees from information freely available in the public domain.

Real-time view of cyber awareness

It gives a real-time assertion of how much employees adhere to company security policies and highlights good and bad security practices as well as highlighting areas for improvement.

METHODOLOGY

CSG’s Comprehensive Testing Methodology

CSG’s approach to social engineering mirrors the latest tactics used by fraudsters. A typical phishing assessment involves:

Initial reconnaissance activities to gather the necessary information to prepare suitable and credible messaging, such as the services the target organization offers, relationships between varying business units or divisions, information exposed on public sources, and other employee or corporate specific information

01. Reconnaissance
Initial reconnaissance activities to gather the necessary information to prepare suitable and credible messaging, such as the services the target organization offers, relationships between varying business units or divisions, information exposed on public sources, and other employee or corporate specific information
02. Infrastructure Preparation
Systems to transport email, track responses and activity, and host content are deployed and configured.
03. Campaign Preparation
Target lists are grouped and sequenced, campaign batches are configured and scheduled, and related preparation tasks are completed.
04. Campaign Launch
Initial test messages are issued to gauge response behavior, identify technical controls that might warrant revising the planned approach, and fine-tuning attack methods.
05. Initial Exploits
As sessions are established, initial exploits are pursued to establish baseline access through payloads, command and control, scripted actions, identify secondary targets on the compromised network, and establish persistence.
06. Secondary Exploits
Attempts to increase a presence throughout the connected environment by bypassing user access controls, identifying internal weaknesses to exploit, leveraging excessive user rights, and compromising connected systems.
07. Exfiltration Attempts
To identify local data repositories that would be of value to an attacker stored on locations such as local repositories, mapped drives, databases, and file sync folders.
08. Disengaging
Winding down activities including terminating sessions, gathering evidence necessary for reporting, and preventing continued contact following the conclusion of the campaign.

FACTS

10 Facts About Social Engineering

  •  The number one type of social engineering attack is phishing.
  • 43% of IT professionals say they have been targeted by social engineering in the last year.
  • Social engineering attacks are responsible for 93% of successful data breaches
  • 45% of employees click emails they consider to be suspicious “just in case it’s important.”
  • 71% of IT professionals say they’ve experienced employees falling for a social engineering attack.
  •  On average, social engineering attacks cost $130,000
  • 60% of IT professionals cite recent hires as being at high risk for social engineering tricks.
  • 45% of employees don’t report suspicious messages out of fear of getting in trouble
  • Socially engineered cyberattacks are just under 80% effective.
  •  The costliest socially engineered cyberattack is business email compromise – it’s 64 times worse than ransomware!

Frequently Asked Questions About Social Engineering Testing

What is social engineering?

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems. Social engineering relies on manipulating individuals rather than hacking computer systems to penetrate a target’s account.

What is phishing?

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.

Why is phishing so commonly used?

Users tend to be the weakest link in the security chain. Hackers target people on masse and harvest valuable information using phishing. The wide availability of phishing tools on the internet has enabled attackers with a low level of technical skill to conduct attacks.

How can businesses prevent social engineering attacks

The most effective defence against social engineering is education. To find out how OmniCyber Security can assist you in defending against social engineering attacks or to arrange social engineering penetration testing, please contact our team.

What is anti-phishing?

Anti-phishing is a collective term used to describe the tools and services available to help organisations identify and prevent phishing attacks.

What is baiting?

Baiting describes the psychological manipulation techniques cybercriminals use to trick people into disclosing sensitive information such as credentials for email and online banking accounts. Hackers go to great lengths to spoof well-known companies and devise fake offers, service updates and security alerts.

What is the difference between white-box and black-box testing?

Under a black box social engineering simulation, CSG’s ethical hackers have no prior knowledge of your organization’s environment. Reconnaissance is conducted to identify intelligence about employees and security controls in place. A white box testing approach is used in instances where phishing testing targets specific employees using pre-supplied email addresses.

Why Choose CSG

  • A trusted partner with a personalized service

  • A company with a global reach

  • An extensive understanding of how threat actors operate

  • In-depth threat analysis and advice you can trust

  • Latest tools and technology

Request Assistance With Social Engineering Testing