Social Engineering Testing
Social Engineering has come to receive increased regulatory attention, driven by the proliferation of phishing, pretext calls and other underlying threats. We perform up to three exercises: e-mail, telephone, and (though less frequently) physical tests. We have developed tried-and-true verbiage/scripts for our pretext e-mails and calls, but we also modify them from year to year to keep them fresh.
Social engineering is very difficult to defend against; therefore, the risks are always higher. In the last several years, we have seen an increase in targeted phishing attacks against businesses, so we recommend continued testing and ongoing training to reinforce employee diligence in assessing whether e-mails are legitimate or not. This is a fairly realistic simulation that helps to remind employees of the kinds of deceptive methods that a hacker could use to compromise the client’s computing systems.
All organizations should be aware of the use of pretext calls by information brokers and identity thieves to gain unauthorized and often illegal access to customer information. It’s important that all employees understand the threats posed, the type of information likely to be sought, cues or tips to spot possible pretext calls, and appropriate steps then to take. For example, a common pretext is a caller claiming to be a customer attempting to gain authorized access to his or her own information; the caller may be armed with biographical or account information obtained elsewhere, and the employee is of course concerned not to offend what could be a legitimate customer. Our testing and diagnosis can help identify and address such situations.