Social Engineering Tactics and Methods

Our Social Engineering Services

Social engineering is a type of cyber security attack that uses social engagement deception to convince individuals to provide confidential or otherwise valuable information to cyber criminals.

Social Engineering Tests

Social engineering tests are designed to create conditions and scenarios that lure personnel into engagement – just as if driven by a crafty cyber attacker. Tactic and techniques can include phishing calls, targeted emails, and more. The results of these tests are used to educate employees on how to become more astute at discerning legitimate human engagement from trickery.

Why Use Social Engineering Services?

Social engineering is one of the key ways attackers can gain access to or information about your organization. People are the weakest link in the daily management of network security. To mitigate this, we offer an examination into the security awareness and practices of your employees and suppliers through Social Engineering Services. We offer several social engineering test options to best meet your organization's needs, preferences, and resources.

Remote Social Engineering Services

Remote Social Engineering is ideally performed on a semi-annual basis to provide an accurate representation of your employees’ security awareness. It includes a wide range of attacks, each specially designed to give important information on employee reactions. There are several options for remote social engineering:

Phone-based Phishing

This involves placing calls to your internal staff members and, upon request, to your suppliers to assess their security awareness. We specifically attempt to obtain information that could be used to gain unauthorized or falsely authorized access to your network resources or data.

Vishing

This involves sending targeted emails with an action request for the user to call a local number for more information. Fortra staff answers the call and conducts social engineering (i.e. “vishing”). We specifically attempt to obtain information that could be used to gain unauthorized or falsely authorized access to your network resources or data.

Web-based Phishing

This involves sending targeted emails with an action request for the user to visit a website which is designed to elicit sensitive information (i.e. phishing). This method involves creating a custom website which looks and feels like your intranet or public site and then capturing the input provided.

Email-based Phishing

This involves sending employees targeted emails with an action request for the user to reply back to the message with information (i.e. phishing). Data is then captured and analyzed for sensitivity.

USB Drops (physical initiation and remote analysis)

This involves obtaining USB drives and load them with custom-developed software that, when inserted into a computer, will auto run and transmit the username, hostname, and IP address in a secure fashion to Fortra. The intent is to determine how susceptible staff are to opening these USB drives. Fortra will report on the number of incidents of users running this software, the associated user name, system name, and IP address.

Onsite Social Engineering

Onsite social engineering is ideally performed annually to provide an accurate and more thorough representation of your employees’ security awareness. If an adversary can gain physical access to a network or system, they can gain access to all information and/or data on the networks or systems with little or no technical knowledge required.

An onsite review includes an evaluation of weaknesses across physical security mechanisms including: interior and exterior CCTV coverage,internal and external entrance controls, door locks and enhanced security system assessment, wireless infrastructure server room access and disaster protection controls, and assessment of possible IT vulnerabilities.

Additionally, our “after hours” physical security sweep measures employee adherence to: “clean desk” policies, appropriate disposal of sensitive data, workstation locking, and password safekeeping.

Onsite social engineering testing methods include:

Attempts to gain physical access to the premises

Obtaining records, files, equipment, sensitive information, network access, etc.

Attempts to garner information to permit unauthorized network access

With both forms of testing, Fortra will provide a formal softcopy report of all evaluation findings, which can be used for internal review, planning purposes, and regulatory examinations.

Enhance Security and Ensure Compliance with Our Comprehensive Social Engineering Services

Our social engineering services offers clients numerous benefits, including the identification of gaps in security policies and personnel awareness, the balancing of investments in security technology versus personnel training, and the identification of necessary physical safeguards. Our comprehensive social engineering testing ensure organizations achieve compliance with regulatory guidelines such as GLBA, NCUA, HIPAA, and SOX.

Protect Your Organization from Social Engineering Attacks

Get started with Social Engineering Services and begin strengthening your security awareness and practices.

Contact Professional Services

Social Engineering Services