The purpose of Social Engineering is to evoke and analyze human response to deception. This consists of impersonating a trusted individual or organization in an attempt to gain access to information and/or a company’s infrastructure. This practice allows us to evaluate the effectiveness of a company’s policies, network security design, controls, and implementation weaknesses to understand the internal vulnerabilities that may exist. Our security engineers take a focused review of:
Publicly identifying information about a company and its employees.
Human response to requests against specific regulatory and corporate security policies.
Risk associated with disseminated employee data and information.
Phishing – Targeted email campaigns.
Vishing – Pre-text calling.
Smishing – SMS text messages.
Physical – Gaining physical access to facilities or sensitive areas by avoiding operational security controls and procedures.
We gather information to develop contact lists that consist of employee phone numbers and emails, where we encourage them to open a malicious payload or enter their credentials. We also gain information that allows us to gain physical access to a company’s internal spaces.
Develop email campaigns impersonating trusted individuals at a company and send malicious attachments or fake websites to contacts.
Develop call scripts impersonating trusted individuals at a company and request personal information or direct the contact to malicious attachments or fake websites.
Create SMS scripts impersonating trusted individuals at a company and request personal information or direct the contact to malicious attachments or fake websites.
Gather information on company badges, dress code, peak traffic times, security, points of entry, etc. We attempt to gain access to facilities or sensitive areas by evading security policies and processes, and subsequently document the physical access.