The objective in email-based social engineering (“phishing”) is to test user security awareness by manipulating target individuals to perform malicious actions or provide sensitive information over email. This is accomplished using a variety of standard scenarios or custom-tailored situations. The content used in these scenarios ranges from generic, spam-like messages to customer-specific emails that are designed to appear to originate from internal users, third-party service providers, or customers. The goal is to obtain user credentials or gain direct system access, though reduced or alternative goals may be specified.
o Understand how vulnerable your employees are to social engineering scams like spear phishing and business email compromise attacks.
o Learn what an attacker could find out about your company and employees from freely available information.
o Put your organization's cybersecurity controls to the test to ensure they can effectively detect and defend against phishing attacks.
A simulated phishing assessment can be used to highlight good and poor security practices and areas for improvement.
The results of a simulated social engineering assessment can be used to improve employee security awareness training programs.
Surveys show time and time again that phishing campaigns are here to stay in the threat landscape, and your security team needs to have the proper tools and knowledge to mitigate this attack vector. It’s important to state that phishing attacks can’t be prevented purely through technical means, as seen by real life situations in which the creativity of attackers really shines, through oftentimes deep knowledge of how the victim corporate environment works and finding weak spots in which an employee can be exploited through a custom crafted email. Our phishing campaigns can be also custom tailored to your environment’s specific exploitable workflows just like a real APT would perform, in order to really understand your company’s security posture against these threats, and create the other kind of campaign, the awareness campaign, with a bigger success rate amongst the employees. Our key to success is making your employees the main weapon against real phishing attacks.
Endpoint Compromise - campaigns that contains malicious documents
Every day, hundreds of thousands attachments are downloaded and opened by employees with disregard of the sender or the type of file opened, relying on security tools to prevent any kind of security breach. Endpoint compromise is often achieved through this kind of file handling oversight, and the results are oftentimes disastrous. We can also prevent and raise awareness of these dangers by actively doing red team campaigns with malicious documents that are part of complex custom scenarios specifically created for your corporate environment, blending in just like a real attack would. These campaigns can show you how vulnerable you can be in case of a real life attack, without the nasty repercussions. They can also greatly help your security team to focus and create a workflow around mitigating these kinds of malicious files by following our recommendations that are highly dependent on the current security posture you have.
A typical social engineering assessment involves
Using open-source intelligence collection techniques (OSINT), our team of ethical hackers seeks to identify valuable company and employee information that could be used to target your company and improve the success rate of a simulated social engineering assessment.
o Using their knowledge of the latest social engineering tactics, our experts will carefully prepare your phishing test to ensure that it is as authentic as possible and has the best chance of reaching its target.
We run the phishing test and, if it is part of the assessment, we fake all compromised users to extend network privileges and make fraudulent requests, such as those common in sales fraud and Business Email Compromise attacks.
Upon completion of the social engineering operation, we document the results and provide prioritized recommendations to address identified risks and improve security awareness training programs.
Frequently asked questions about social engineering and phishing