Social Engineering Testing
Real Attacks Simulation, Remediation Advice and Practical Aid
With 19 years in cybersecurity and Certified Ethical Hackers on board, ScienceSoft helps companies evaluate and increase their employees’ resilience to social engineering attacks.
Social engineering penetration testing imitates the approach and techniques intruders use to trick employees into divulging sensitive information or enabling security system breaches. It helps evaluate your employees’ security awareness and adherence to security practices, including under the pressure of intimidation or urgency. Social engineering testing can come as a part of comprehensive penetration testing or as a separate service.
Malicious emails sent to multiple employees.
Emails sent to a specific employee(s) responsible for high-level decisions.
Email attacks targeting the C-suite.
Manipulative phone calls.
Manipulative mobile text messages.
ScienceSoft’s Penetration Testing Consultant, CEH Uladzislau Murashka shares his experience:
"To test user behavior in case of phishing attacks (the most frequent type), we use:
Social Engineering Tactics We Apply
Imitating cybercriminals, ScienceSoft uses persuasion techniques to make social engineering engagements plausible.
Posing as an authoritative person (e.g., a police official or the company's CEO) to pressure your employees into fulfilling the required action.
Threatening with severe consequences if certain actions are not performed.
Implying that a required action is what many people do.
Making a time- or quantity-limited offer to cause subconscious desire to accept it.
Calling to immediate action to make your employees act without thinking.
Impersonating people your employees like or have met before.
Below we describe typical steps ScienceSoft takes during social engineering testing projects:
Depending on the customer’s testing needs, we define:
- The type(s) of social engineering attacks.
- Target employees to test.
- The timing of the attack.
In case of black box social engineering pentesting, we collect information about the company, its employees and business partners the same way the real attackers would do: from open sources (business registers, listings, social media, press releases, newsletters, etc.).
In case ScienceSoft and the client agree on the white box approach, we request the necessary information from the company’s representatives.
We create a story behind the attack and prepare the texts for malicious emails, manipulative SMS or phone calls.
ScienceSoft’s ethical hackers run one or several social engineering attacks on the target employees.
We analyze the testing findings and provide a final report containing:
- An overview of employees’ security knowledge gaps, risky behavior.
- Information disclosed by the employees.
- Identified vulnerabilities, e.g., email filtering inefficiency.
- Potential threats of exploiting the security gaps by cybercriminals.
- Remediation recommendations.
Additionally, we can perform the remediation activities to help reduce the risk in case of real social engineering attacks:
- Preparing and/or conducting cybersecurity training for employees with a focus on vulnerabilities revealed during the testing.
- Installing and configuring security components: firewalls, email security and antivirus software, a data loss prevention system, etc.
Our Customers Say
ScienceSoft provided us with the proper documentation agreed upon during the initial stages. They had quick turnaround times for pentesting, less than 2 weeks! ScienceSoft Sales team works with you until all services are complete. I highly recommend ScienceSoft.
Daniel Diaz, BS, Documentation and Compliance Specialist, RealTime-CTMS
We had used ScienceSoft as our PenTest company. Experience that we had was very good. ScienceSoft had accomplished pentest in a very professional manner and on time. Personally, I had only positive impressions from working with the team. Scout is looking forward to work with ScienceSoft in the future.
Ross Shamelashvili, Manager, Development Operations, Scout, a Workday company
- 19 years in cybersecurity.
- IBM Business Partner since 2003.
- 150+ IT security assessment and consulting projects for healthcare, finance, manufacturing, telecom and other industries.
- Certified Ethical Hackers on board.
- Efficient quality management and customers’ data security confirmed by ISO 9001 and ISO 27001 certificates.
- ScienceSoft USA Corporation is listed among The Americas’ Fastest-Growing Companies 2022 by Financial Time.
Preventing Social Engineering: Challenges We Handle
It is difficult to create lifelike test conditions to see how employees would respond to malicious psychological manipulation.
We ensure that employees are unaware of testing and can follow all the steps of real-world attackers:
- Gathering information about the company and target employees from open sources.
- Creating a story for the attack, which is easy to buy into.
- Sending real emails and SMS, making real phone calls.
It is difficult to build strong email security to recognize and resist phishing emails.
ScienceSoft helps reinforce email security by implementing and configuring:
- SPF (Sender Policy Framework) to specify the servers and domains authorized to send emails on behalf of the company.
- DMARC (Domain-based Message Authentication, Reporting and Conformance) to protect the domain from being used in business email compromise attacks.
- DLP (Data Loss Prevention) tools to block the transmission of sensitive data.
- Email server anti-malware protection, such as attachment scanning and/or sandboxing.
Social Engineering Testing: Success Stories by ScienceSoft
Pentesting and Social Engineering Testing for Reconice to Improve ePHI Security
As part of IT infrastructure pentesting for a speech recognition software provider, ScienceSoft imitated a phishing attack against the Customer’s staff to check their ability to recognize and withstand social engineering techniques.
Vulnerability Assessment, Pentesting, and Social Engineering Testing for a Retail Bank
As a result of mock phishing attacks, ScienceSoft’s ethical hackers convinced 65% of targeted employees to send personal data via email. ScienceSoft recommended that the Customer hold security training sessions for employees.
Code Review, Pentesting and Social Engineering Testing for an Award-Winning IT Company
To find maximum security gaps endangering the Customer's cloud application, ScienceSoft combined source code review and penetration testing with social engineering testing.
Network Pentesting and Social Engineering Testing for a Mobile Operator
During a pentesting project, ScienceSoft simulated phishing attacks to check if potential intruders can use social engineering to break into the Customer's network.
Social engineering testing
We plan, prepare and stage social engineering attacks in 3 days, as well as advise on raising employees' security awareness.
Social engineering testing and remediation
We help remediate social engineering risks identified as a result of mock social engineering attacks.
Why Social Engineering Is a Cybersecurity Concern Number One
Social engineering has proven to be the most efficient way to get around a company’s cyberdefense:
$4.65 million is the average cost of a breach caused due to phishing.
Ensure Your Company Against Social Engineering Attacks
ScienceSoft’s ethical hackers create a real-world experience of human-based cyber attacks to help you evaluate and minimize social engineering risks.