Social engineering protection assessment

Protecting your business by assessing its human defences

It is commonly acknowledged that employees of the company are often the weakest link when it comes to IT security in an organisation. The willingness of most people to help others and be service minded can make your employees vulnerable to social engineering-attacks, among others. Social engineering is the process of using psychology to encourage people to give you the information or access that you want. It involves deceit and manipulation, and can be done face-to-face, remotely but still interactively (e.g. by phone) or indirectly through technology.

How we can help

Our experts provide customised solutions based on your needs to conduct a practical social engineering test. They simulate a hacker’s attack methods and try to persuade the company’s employees into giving away the information needed to gain access to sensitive data. We can use several methods to achieve our goal:

  • Phishing attack: We send emails to your employees and try to convince them to open an attached file or click on a link. Attached files result in a malicious, though controlled, code being executed (for example via Java, PDF or Microsoft Office). If the workstation is not correctly patched, it may be possible to take control of an employee’s PC and use it in order to bounce (pivot) to take control of other machines on your internal network. Links are designed to get employees to log onto our false websites with their username and password or to submit confidential information concerning the IT systems. The wording of the mails we send and the text which appears on the false websites is always tailored to the target using a dedicated "lingo".

  • Impersonation: we may contact employees pretending to be calling from the company’s internal IT helpdesk (or a similiar department, depending on your internal organisation) in order to get the employee to perform specific actions and/or reveal sensitive information. There are plenty of possibilities, with the options chosen being adapted to your company’s internal procedures.

  • Social network abuse: our team will use social networks (such as Facebook, Twitter and LinkedIn) to obtain information about employees and the company in an attempt to thereby acquire confidential data.