A social engineering assessment is a simulated test which aims to measure the information security awareness levels of an organization’s personnel by exploiting its employees natural humanly tendencies of trust, friendliness, pre-conceived assumptions, authoritative biases, emotional needs, among others. In Social engineering tests, the assessment team attempts to make direct contact with targets, either by telephone or in person or sometimes even through physical access of restricted areas within the organization.

The assessment uses psychological manipulation to deceive people into performing adverse actions like clicking on fabricated links, opening malicious attachments, sharing personal details and divulging confidential information about the organization. During the test, the social engineering team develops user-context specific pretexts that are familiar to targeted employees, and then uses their trust to lure them into taking unwarranted actions. Such tests often completely bypass technical security controls.

The ultimate impact of a real-world social engineering includes complete compromise of organization including business data, employee information, emails, credentials, source code, customer data, etc.

Our Coverage

The GRC360 Social Engineering services assist our customers in assessing the ability of the organisation’s systems and personnel to detect and respond to targeted social engineering attacks. The assessment is planned in close coordination with the customer point of contact to ensure that the testing is performed in a controlled manner. By simulating the tactics, techniques and procedures (TTP’s) used by adversaries, our comprehensive assessments aim to review the technical/process/people controls implemented within the organization. The outcomes from such assessments include:

• Identify employee-behavioural risks that may lead to sensitive information leakage
• Gain an understanding of the organization’s digital footprint and information exposure in public domain
• Understand effectiveness levels of technical controls to detect and respond to such attacks
• Highlighting weaknesses in employee cyber security awareness
• Recommend context-specific solutions to improve human behaviour and sensitivity towards cyber security

The various types of social engineering services that we provide, include:

• Spear Phishing – by using a generic or targeted email campaign
• Voice Phishing – by using a targeted Phone-based social engineering campaign
• SMS Phishing – by using a targeted SMS-based social engineering campaign
• Tailgating – by following employees to access restricted areas.
• Chat Phishing – by using social engineering through popular messaging/chat services
• Physical bypass – by using techniques to gain physical entry

Our Methodology