Social Engineering Assessment

How Can A Social Engineering Assessment Help?

ConnectDS offers assessments to help you become more aware of vulnerabilities within your company due to weaknesses in the security awareness of your workers. Our Social Engineering Assessment, known as a Phishing Assessment, finds gaps in your security awareness training and describes areas where more education may be necessary. This training stops your staff from falling victim to scams. Our social engineering campaigns allow us to measure employee susceptibility to clicking on links contained within emails that mimic those of the cyber criminals. Of course, we have a safe rather than a malicious intention. 

These assessments find high-risk individuals and users. We also detect any organisational requirements for further awareness training. We can educate your workers on what to look out for in this type of scam. The email templates that we use are designed following particular guidelines. We target a predetermined percentage of employees each month, so we don’t seem suspicious. This targeting achieves the best results.

The testing we carry out on your employees’ security awareness through the use of a social engineering or phishing assessment gives you actionable steps to focus your security training. Each type of Social Engineering engagement is different and uniquely tailored to your organisation. Our techniques are:

  • Open Source Intelligence – our team of professional analysts uses freely available information to fine-tune each ethical security attack and maximise the likelihood of a successful compromise, just as a malicious hacker would.
  • Phishing or Spear Phishing attacks.
  • Physical USB ‘Drive’ Drops – for example, malicious USBs lying in the company car park.
  • Impersonating employees.
  • Phone-Based scams.
  • Dumpster Diving – searching through discarded documents and piecing together shredded papers to obtain confidential information.

The final report will include a list of all techniques we used, which worked and which did not. This information shows you what kind of tailored training needs to happen post-assessment.

What Is Social Engineering?

Social engineering is the manipulation of your employees in the hope that they will reveal their private information to a cyber attacker. It is tricking the individual through various techniques into revealing their personal and financial data, which criminals can use for illegal activity. 

The types of information these people are trying to obtain can vary. They are often looking for passwords, bank information, or how to access your computer to install malicious software clandestinely. They can use this spyware to access your passwords and bank information and gain mastery over your computer.

Cyber criminals use social engineering tools because it is easier to exploit your employees’ instinct to trust than to find ways to hack your software. For example, it is much easier to dupe an individual into giving out their password than it is for a criminal to try hacking their password unless the password is weak.

Security involves knowing who or what to trust. You need to train your staff to be aware of the sophisticated tools cyber criminals are using to access your private business information.

These can be:

  1. An email from a friend. Suppose a cyber criminal socially engineers your employee’s email password. In that case, they have access to that person’s contact list and their social networking contacts. Once the attacker has that email account in their control, they send emails to all the victim’s contacts or leave messages on all their friend’s social media pages. These messages will often contain a link that you trust as it is from a friend. The link comprises malware, so the cyber criminal can take over your machine and collect information. The message may contain a download of pictures, music, or video with malicious software embedded within it. The friend’s computer then becomes infected. The malware goes on to infect the computers of all their friends and on and on it goes.
  2. An email from another trusted source. Typically these can be criminals imitating financial institutions. They are called phishing campaigns and give your employees a logical and valid sounding reason to hand over their login details and passwords. You may receive a message saying a family member is in trouble in another country. You need to send money. You could receive an email from your bank saying your account is compromised and you need to log in again. There could be a message asking you to donate to charity. 
  3. Baiting scenarios. This baiting is when cyber criminals trick you by giving you something you want, such as a product or download. This download then infects your computer with malware, or the individual finds their bank account is empty.
  4. There are all kinds of other techniques that aim to create distrust and chaos among your contacts.

These social engineering techniques of gaining information continue to increase as cyber criminals master more elaborate and subtle strategies to breach organisations’ data through their employees. 

Attackers gain access to your business’ private information by manipulating your workers through phishing campaigns. An ethical cyber attack that ConnectDS carry out on your employees enables you to see where education is necessary. The whole process keeps you and your company secure.

The human being is the weakest element in your cyber security strategy. A single naive employee could ruin all the security solutions you have in place.

 

Our Approach

ConnectDS have expert professional teams on hand in your local area who are masters in social engineering techniques. We help small and medium-sized businesses all over the UK from our bases in London and Surrey.

ConnectDS provides your business with a variety of social engineering assessments. You can have an evaluation as a single event or an ongoing campaign. Regardless of the length of your campaign, we provide a customised service that we tailor to your requirements. The following list describes the aspects and options we offer to ensure we are a good fit for your organisation:

  • Scope – Creating a targeted email campaign and defining a group of users within your company. Usually, we will target 20% of your employees for each email template we use. We focus on all physical locations, sites, and departments. 
  • Targeting – In most cases, we aim with White-box testing. You supply us with the staff email addresses you want to use for the assessment.
  • Customisation – We have a variety of options of existing email templates and tailored content to choose from, including accessible models from a regular supplier, a shipping company, Microsoft or the “IT Department”. Alternatively, we can generate something custom-made, created to target a specific department such as the “accounts” department or copying a typical accounts email, such as a monthly payslip.
  • Campaigns – Typically, we use a minimum of three different email templates per drive, which target a group of users at random times.
  • Reporting – We create a summary of the campaign, which describes the number of clicks and points out the high-risk users.
  • Presentation – We can provide both high and low-level presentations of our discoveries to your management teams or just with your technical management team. 

Whether you are searching for a one-time or continuous assessment of your employees, ConnectDS can collaborate with you to create a consultative campaign for social engineering testing. This assessment identifies your current position and locates your vulnerabilities. The information you receive will help your company prevent cyber criminals from accessing your confidential information and data. 

A phishing test is when a set of phishing emails is sent out to record which members of staff click a link to measure current awareness.

A phishing test is important as it gives a useful insight into the current awareness of certain scams within your organisation.

Social engineering is tricking a user into revealing sensitive information.

Social engineering assessments are a way of measuring the current susceptibility to social engineering within your organisation.

Actionable reporting followed by targeted training is an excellent way of reducing the risk of a successful social engineering attack on your business.

Advanced email protection and web content filtering combined with well trained employees is the best way of preventing phishing within your organisation.

Compelling phishing email subjects include: “Security Alert”, “Password Check Required Immediately”, “A Delivery Attempt was Made”.

Immediately report the email as spam and delete it. Alert your IT or security team.

Poor spelling, strange email addresses, links to other websites and monetary incentives are often used in phishing emails.

An attempt to steal sensitive, personal or business information by disguising as a trusted entity in an email.

Interested in making your business more secure with a social engineering assessment?

Please talk to our team for more information about Phishing and Social Engineering Assessments in Guildford, Surrey, London and across the UK.

TALK TO OUR EXPERT TEAM