These assessments find high-risk individuals and users. We also detect any organisational requirements for further awareness training. We can educate your workers on what to look out for in this type of scam. The email templates that we use are designed following particular guidelines. We target a predetermined percentage of employees each month, so we don’t seem suspicious. This targeting achieves the best results.
The testing we carry out on your employees’ security awareness through the use of a social engineering or phishing assessment gives you actionable steps to focus your security training. Each type of Social Engineering engagement is different and uniquely tailored to your organisation. Our techniques are:
- Open Source Intelligence – our team of professional analysts uses freely available information to fine-tune each ethical security attack and maximise the likelihood of a successful compromise, just as a malicious hacker would.
- Phishing or Spear Phishing attacks.
- Physical USB ‘Drive’ Drops – for example, malicious USBs lying in the company car park.
- Impersonating employees.
- Phone-Based scams.
- Dumpster Diving – searching through discarded documents and piecing together shredded papers to obtain confidential information.
The final report will include a list of all techniques we used, which worked and which did not. This information shows you what kind of tailored training needs to happen post-assessment.
Could you tell the difference between this phishing e-mail and a genuine Google e-mail?
It can be hard to tell the difference between a phishing e-mail and a genuine business e-mail.
What Is Phishing and Social Engineering?
Social engineering is the manipulation of your employees in the hope that they will reveal their private information to a cyber attacker. It is tricking the individual through various techniques into revealing their personal and financial data, which criminals can use for illegal activity.
The types of information these people are trying to obtain can vary. They are often looking for passwords, bank information, or how to access your computer to install malicious software clandestinely. They can use this spyware to access your passwords and bank information and gain mastery over your computer.
Cyber criminals use social engineering tools because it is easier to exploit your employees’ instinct to trust than to find ways to hack your software. For example, it is much easier to dupe an individual into giving out their password than it is for a criminal to try hacking their password unless the password is weak.
Security involves knowing who or what to trust. You need to train your staff to be aware of the sophisticated tools cyber criminals are using to access your private business information.
These can be:
- An email from a friend. Suppose a cyber criminal socially engineers your employee’s email password. In that case, they have access to that person’s contact list and their social networking contacts. Once the attacker has that email account in their control, they send emails to all the victim’s contacts or leave messages on all their friend’s social media pages. These messages will often contain a link that you trust as it is from a friend. The link comprises malware, so the cyber criminal can take over your machine and collect information. The message may contain a download of pictures, music, or video with malicious software embedded within it. The friend’s computer then becomes infected. The malware goes on to infect the computers of all their friends and on and on it goes.
- An email from another trusted source. Typically these can be criminals imitating financial institutions. They are called phishing campaigns and give your employees a logical and valid sounding reason to hand over their login details and passwords. You may receive a message saying a family member is in trouble in another country. You need to send money. You could receive an email from your bank saying your account is compromised and you need to log in again. There could be a message asking you to donate to charity.
- Baiting scenarios. This baiting is when cyber criminals trick you by giving you something you want, such as a product or download. This download then infects your computer with malware, or the individual finds their bank account is empty.
- There are all kinds of other techniques that aim to create distrust and chaos among your contacts.
These social engineering techniques of gaining information continue to increase as cyber criminals master more elaborate and subtle strategies to breach organisations’ data through their employees.
Attackers gain access to your business’ private information by manipulating your workers through phishing campaigns. An ethical cyber attack that ConnectDS carry out on your employees enables you to see where education is necessary. The whole process keeps you and your company secure.
The human being is the weakest element in your cyber security strategy. A single naive employee could ruin all the security solutions you have in place.
Our Approach to Phishing Assessments
ConnectDS have expert professional teams on hand in your local area who are masters in Phishing and social engineering techniques. We help small and medium-sized businesses across the UK from our surrey and London office locations.
ConnectDS provides your business with a variety of social engineering assessments. You can have an evaluation as a single event or an ongoing campaign. Regardless of the length of your campaign, we provide a customised service that we tailor to your requirements. The following list describes the aspects and options we offer to ensure we are a good fit for your organisation:
- Scope – Creating a targeted Phishing campaign and defining a group of users within your company. Usually, we will target 20% of your employees for each email template we use. We focus on all physical locations, sites, and departments.
- Targeting – In most cases, we aim with White-box testing. You supply us with the staff email addresses you want to use for the assessment.
- Customisation – We have a variety of options of existing email templates and tailored content to choose from, including accessible models from a regular supplier, a shipping company, Microsoft or the “IT Department”. Alternatively, we can generate something custom-made, created to target a specific department such as the “accounts” department or copying a typical accounts email, such as a monthly payslip.
- Campaigns – Typically, we use a minimum of three different email templates per drive, which target a group of users at random times.
- Reporting – We create a summary of the campaign, which describes the number of clicks and points out the high-risk users.
- Presentation – We can provide both high and low-level presentations of our discoveries to your management teams or just with your technical management team.
Whether you are searching for a one-time or continuous assessment of your employees, ConnectDS can collaborate with you to create a consultative campaign for social engineering testing. This assessment identifies your current position and locates your vulnerabilities. The information you receive will help your company prevent cyber criminals from accessing your confidential information and data.
Common FAQs about Social Engineering Assessment
Please see below for some common questions on our social engineering assessment, if you would prefer to speak to someone then give us a call and speak to one of our team in our Surrey or London offices.
WHAT IS A PHISHING TEST?
A phishing test is when a set of phishing emails is sent out to record which members of staff click a link to measure current awareness.
WHY ARE PHISHING TESTS IMPORTANT?
A phishing test is important as it gives a useful insight into the current awareness of certain scams within your organisation.
WHAT IS SOCIAL ENGINEERING?
Social engineering is tricking a user into revealing sensitive information.
WHAT IS SOCIAL ENGINEERING TESTING?
Social engineering assessments are a way of measuring the current susceptibility to social engineering within your organisation.
HOW TO AVOID SOCIAL ENGINEERING SCAMS
Actionable reporting followed by targeted training is an excellent way of reducing the risk of a successful social engineering attack on your business.
HOW TO PREVENT PHISHING?
Businesses need a strategy around cyber security events from malicious phishing attempts. ConnectDS provide assessment services to identify the risk and also provide managed solutions for end user security training and Advanced email protection and web content filtering. The best way of protecting your business is a layered approach.
WHAT IS AN EXAMPLE OF A PHISHING EMAIL?
Compelling phishing email subjects include: “Security Alert”, “Password Check Required Immediately”, “A Delivery Attempt was Made”.
WHAT DO I DO IF I RESPONDED TO A PHISHING EMAIL?
Immediately report the email as spam and delete it. Alert your IT or security team.
WHAT ARE COMMON SIGNS OF A PHISHING EMAIL?
Poor spelling, strange email addresses, links to other websites and monetary incentives are often used in phishing emails.
WHAT ARE EXAMPLES OF PHISHING ATTACKS?
An attempt to steal sensitive, personal or business information by disguising as a trusted entity in an email.