Social engineering testing is a security assessment technique used to evaluate an organisation's susceptibility to social engineering attacks. These tests simulate real-world attacks and allow you to play the role of the adversary, identifying the strengths and weaknesses of your security posture. By doing so, you can gain valuable insights into how your organisation would fare against a real-world attack or data breach.
Social engineering has become a common tactic for threat actors to gain access to sensitive information in today's evolving threat landscape. A 2022 report by the UK government's Cyber Security Breaches Survey showed that nearly 39% of UK businesses and charities were targeted by social engineering attacks in the past year.
These attacks are designed to exploit weaknesses in an organisation's processes, making them difficult to detect and prevent compared to traditional attacks that focus on exploiting technology. Some of them include includes Quid pro quo, Baiting, Email Phishing attacks, Voice phishing, Vishing, Smishing, Whaling, Tailgating, Pretexting, Impersonation, Road apple, and BEC.
Agreeing, organisations often invest a large portion of their security budget in technology, making it the most difficult to breach. The question simply is, how do we reduce the attacks on our people and processes? The answer is not far-fetched - reverse engineering through social engineering tests and remaining up to date with the latest social engineering tactics.
Onsite social engineering tests are designed to evaluate an organisation's security posture against social engineering attacks that occur on-premises. Here are some types of onsite social engineering tests that organisations can perform:
Tailgating: The social engineer attempts to follow an employee through a secure door or checkpoint without proper authorisation.
Badge cloning: The social engineer attempts to gain access to secure areas by copying an employee's ID badge.
Physical security bypass: A social engineer attempts to go around physical security measures. Examples of these measures include cameras and security guards. This is done to gain access to secure areas.
Offsite social engineering tests evaluate an organisation's security posture against remote attacks, such as phone or email attacks. They involve a simulated attack against the organisation's employees or infrastructure without physical presence. Some types of offsite social engineering tests include:
Phishing emails: The social engineer sends fraudulent emails that appear to be from a reputable source, to trick the recipient into divulging sensitive information, such as login credentials or financial data.
Vishing: The social engineer makes phone calls, posing as a trusted third party, to gain access to sensitive information.
Smishing: The social engineer sends text messages that appear to be from a reputable source, to trick the recipient into divulging sensitive information.
Risk Crew has over 15 years of experience in designing and implementing successful simulated social engineering attacks across various business sectors.
Our skilled social engineering artists can address all attack vectors related to your business's employees, vendors, and stakeholders. We customise each project's time scale, objectives and follow a strict methodology to ensure that all objectives are met within the agreed budget.
Our social engineering assessments are conducted using the following information-gathering methods.
Active and Passive Reconnaissance: Passive reconnaissance involves collecting publicly available information about a target without directly interacting with it (e.g., social media profiles), while active reconnaissance involves actively probing the target system or network to gather information. Passive techniques are non-intrusive, while active techniques can potentially trigger security alerts (e.g., direct phone calls and port scanning).
We believe social engineering is not a science – it’s an art.
Our experienced security testing engineers have worked for leading global organisations and implemented detailed Social Engineering Testing methodologies, ensuring they can effectively assess your business’s capabilities to detect and mitigate attacks against your systems.
We don't just stop at delivering a comprehensive report. We go the extra mile by offering expert advice and support for 30 days after the report submission. Our team is on standby to help answer any questions or concerns that arise during the implementation of remedial actions to minimise risks and safeguard your systems.
Our reports are bespoke and provide details of specific vulnerabilities identified, how they were identified, methods and tools used to identify them and visual evidence if applicable. This is not a template, but a carefully curated document that defines objectives and provides measurable results.
With Risk Crew's social engineering penetration testing solution, you can expect an unmatched level of service that comes with a 100% satisfaction guarantee. Our testing methodology is designed to identify potential vulnerabilities and security risks that may otherwise go undetected.
To guarantee that relevant business stakeholders understand the report's results, we present them in a workshop. The workshop serves as an opportunity to engage with stakeholders and address any concerns they may have.
We offer to retest to verify remedial actions were effective. Upon completion, we’ll provide you with a summary report verifying remedial measures have been implemented.
Risk Crew follows best practices including OWASP and NIST
Engineers carry CREST, C√SS, C│EH and GIAC credentials
Engineers hold CISSP, CISM and CRISC certifications
Risk Crew engineers are SMEs with published articles in industry journals & magazines
Regular social engineering tests conducted by Risk Crew offer a range of benefits that include:
These regular tests are a crucial part of maintaining the overall security of your organisation, and our team is committed to providing you with the highest level of service and support.
A social engineering attack relies on the manipulation of human behaviour. A person’s personality, good nature, beliefs, education, professional status or social etiquette can often easily be exploited, and they can be tricked into doing something that is in a hacker’s interests. This is how easily social engineering works and why it’s so dangerous. By and large, all social engineering attacks attempt to exploit one (or more) of the following four common human emotions:
Social engineering requires nothing more than a basic understanding of simple behavioural psychology principles and some good acting skills.
Successful social engineering attacks are delivered in contexts designed to exploit these human weaknesses. Typical social engineering attacks include scenarios such as:
Social engineers use their knowledge of how people think in a variety of ways.
By targeting the human element, they increase their probability of a successful attack by bypassing defences designed to protect against “conventional” hacking.
Yes. In general, any attack that relies on the participation of a system end-user usually involves some sort of social engineering aspect. Injecting malicious code that would allow unauthorised access, for instance, is usually done through “phishing”.
The best defence against social engineering attacks is to educate your end-users. Users must be made aware of the threat and the methodology. Social engineering attacks are designed to exploit the weaknesses in the way users think. All social engineering attacks boil down to trying to get someone to do something that they should not do or allow. They must be educated to question requests from unknown sources. The top 3 best practices to include in your user awareness training are to: