Social Engineering Services
Real Attacks Simulation, Remediation Advice and Practical Aid
With 20 years in cybersecurity and Certified Ethical Hackers on board, ScienceSoft helps companies evaluate and increase their employees’ resilience to social engineering attacks.
Schedule a call
Social engineering testing helps evaluate your employees’ security awareness and adherence to security practices, including under the pressure of intimidation or urgency. It imitates the approach and techniques intruders use to trick employees into divulging sensitive information or enabling security system breaches.
Types of Social Engineering Attacks ScienceSoft Simulates
Phishing
Malicious emails sent to multiple employees.
Spear phishing
Emails sent to a specific employee(s) responsible for high-level decisions.
Whaling
Email attacks targeting the C-suite.
Fraudulent emails from hacked accounts of high-level employees, business partners, or suppliers.
Vishing
Manipulative phone calls.
Smishing
Manipulative mobile text messages.
To test user behavior in case of phishing attacks (the most frequent type), we use:
- Emails with malicious URLs to check if the user clicked them.
- Emails with fake invitations and forms, including login forms to check if the user filled them.
- Emails with executable files to check if the user downloaded and/or installed them.
Social Engineering Tactics We Apply
Imitating cybercriminals, ScienceSoft uses persuasion techniques to make social engineering engagements plausible.
Authority
Posing as an authoritative person (e.g., a police official or the company's CEO) to pressure your employees into fulfilling the required action.
Intimidation
Threatening with severe consequences if certain actions are not performed.
Social proof
Implying that a required action is what many people do.
Scarcity
Making a time- or quantity-limited offer to cause a subconscious desire to accept it.
Urgency
Calling for immediate action to make your employees act without thinking.
Familiarity
Impersonating people your employees like or have met before.
Social Engineering Testing Scenarios
Like real attackers, our professionals come up with credible stories based on the information they have about the company and the target employees. Below are a few sample scenarios that work well in the corporate environment.
Tech support scam
An employee gets an email or a call from a “tech support specialist” asking them to enable remote access to workstations, download and install software updates, use a new account password, etc. As a result, the attacker can gather sensitive info about the device, hijack user accounts, infect the whole network with malware, and so on.
HR scam
A fake email or call from the internal HR department may trick employees into revealing their sensitive info, such as medical records, bank accounts, and social security numbers. Another possible scenario: under the pretext of the upcoming team building or another corporate event, employees get a questionnaire or a registration form where they need to enter their work credentials. In case of success, the attackers can steal the victim’s account and operate within the company’s IT infrastructure.
CEO fraud
Impersonating the company’s CEO, attackers can contact employees in the accounting department and request sending sensitive financial info or making a money transfer to a certain account. Attackers may also reach HR specialists and ask for personal information about any employees.
Fake job offers
Very often, cybercriminals contact their victims via LinkedIn. They may impersonate the representatives of legitimate companies and attempt to redirect job seekers to malicious websites. In other cases, after an interview, fraudsters send an employment form asking for detailed personal information, including a home address, social security number, and bank account data.
Social Engineering Testing Pros and Cons You Should Consider
Social engineering assessment is an efficient tool to reveal human vulnerabilities: security knowledge gaps and unsafe behavior. It prepares your company to resist widespread phishing and vishing attacks. However, in some cases, it may have adverse effects on your organization.
Benefits
- True-to-life experience of social engineering attacks to see if your security tools and employees can recognize and handle malicious messages and calls.
- Understanding your social engineering risks: if your business is likely to suffer from a human-based attack and what damage it can do.
- Well-targeted improvements of your security program and policy, technology and employee awareness training based on the social engineering assessment results.
- Preventing data breaches and IT infrastructure infiltration that may follow in case of a successful phishing or vishing attack.
Risks
- Employees’ embarrassment: the ones who turned out to be the “weak link” are likely to be overwhelmed with guilt.
- Managers’ frustration that may result in maltreating or even firing the employees who failed the test.
- Risks related to vendor incompetence: sensitive data exposure, unethical behavior of the testers, etc.
With our security professionals, you will avoid the common pitfalls of social engineering pen testing. We explain how to deal with its findings in a constructive way, without finger-pointing. We help ensure that your social engineering awareness training empowers your staff with actionable knowledge on how to handle modern cyber threats. Plus, as we rely on best security assessment practices and an ISO 27001-certified security management system, we guarantee controlled activities and your data safety.
Social Engineering Testing Steps
Below we describe typical steps ScienceSoft takes during social engineering penetration testing projects:
1
Planning
Depending on the customer’s testing needs, we define the following:
- The type(s) of social engineering attacks.
- Target employees to test.
- The timing of the attack.
2
Reconnaissance
In case of black box social engineering pentesting, we collect information about the company, its employees, and business partners the same way the real attackers would do: from open sources (business registers, listings, social media, press releases, newsletters, etc.).
If ScienceSoft and the client agree on the white box approach, we request the necessary information from the company’s representatives.
3
Attack preparation
We create a story behind the attack and prepare the texts for malicious emails, manipulative SMS, or phone calls.
4
Attack simulation
ScienceSoft’s ethical hackers run one or several remote social engineering attacks on the target employees.
5
Reporting
We analyze the testing findings and provide a final report containing:
- An overview of employees’ security knowledge gaps and risky behavior.
- Information disclosed by the employees.
- Identified vulnerabilities, e.g., email filtering inefficiency.
- Potential threats of exploiting the security gaps by cyber criminals.
- Remediation recommendations.
+
Additionally, we can perform the remediation activities to help reduce the risk in case of real social engineering attacks:
- Preparing and/or conducting cybersecurity training for employees with a focus on vulnerabilities revealed during the testing.
- Installing and configuring security components: firewalls, email security tools, antivirus software, a data loss prevention system, etc.
Why Choose ScienceSoft as Your Social Engineering Testing Company
- 20 years in IT security, Certified Ethical Hackers in the team.
- A solid portfolio of security assessment projects for healthcare, finance, manufacturing, telecommunications, and other industries.
- Hands-on experience with HIPAA, PCI DSS, GDPR, SOC 2, NIST SP 800-53, GLBA, SOX, and other security standards and regulations.
- Recognized as Top Penetration Testing Company by Clutch.
- ISO 9001-certified mature quality management to guarantee smooth cooperation and value-driving results.
- 100% safety of our customers' data ensured by ISO 27001-certified security management system.
- For the second straight year, ScienceSoft USA Corporation is listed among The Americas’ Fastest-Growing Companies by the Financial Times.
Our customers in cybersecurity
Preventing Social Engineering Attacks: Top Concerns, Answered
How can we get a real view of employees' resilience to social engineering attacks?
We ensure that employees are unaware of testing and can follow all the steps of real-world attackers:
- Gathering information about the company and target employees from open sources.
- Creating a story for the attack, which is easy to buy into.
- Sending real emails and SMS, making real phone calls.
How can we ensure strong email security to recognize and resist phishing emails?
ScienceSoft helps reinforce email security by implementing and configuring:
- SPF (Sender Policy Framework) to specify the servers and domains authorized to send emails on behalf of the company.
- DMARC (Domain-based Message Authentication, Reporting, and Conformance) to protect the domain from being used in business email compromise attacks.
- DLP (Data Loss Prevention) tools to block the transmission of sensitive data.
- Email server anti-malware protection, such as attachment scanning and/or sandboxing.
Social Engineering Testing: Selected Projects by ScienceSoft
Pentesting and Social Engineering Testing for Reconice to Improve ePHI Security
As part of IT infrastructure pentesting for a speech recognition software provider, ScienceSoft imitated a phishing attack against the Customer’s staff to check their ability to recognize and withstand social engineering techniques.
Vulnerability Assessment, Pentesting, and Social Engineering Testing for a Retail Bank
As a result of mock phishing attacks, ScienceSoft’s ethical hackers convinced 65% of targeted employees to send personal data via email. ScienceSoft recommended that the Customer hold security training sessions for employees.
Code Review, Pentesting, and Social Engineering Testing for an Award-Winning IT Company
To find maximum security gaps endangering the Customer's cloud application, ScienceSoft combined source code review and penetration testing with social engineering testing.
Network Pentesting and Social Engineering Testing for a Mobile Operator
During a pentesting project, ScienceSoft simulated phishing attacks to check if potential intruders can use social engineering to break into the Customer's network.
IT Security Assessment for a US Insurance Marketplace
ScienceSoft performed a comprehensive security assessment for an InsurTech company, conducting gray box penetration testing of a web application and APIs and a security audit of AWS infrastructure. To evaluate the Customer’s employees’ cyber resilience, ScienceSoft’s team simulated phishing and vishing attacks.
Red Team Penetration Testing for a US K-12 School
To simulate a targeted real-world cyberattack on a prestigious private school, ScienceSoft's Certified Ethical Hackers performed OSINT, pentesting, phishing, and vishing.
Network Pentesting and a Phishing Campaign for a US Healthcare Provider
ScienceSoft conducted penetration testing of internal and external network components for a large US healthcare provider with 10+ facilities. To check the probable social engineering attack scenarios, ScienceSoft’s team simulated email phishing attacks, targeting the C-suite and department managers.
Social Engineering Service Options ScienceSoft Offers
Social engineering testing
We plan, prepare and stage social engineering attacks in 3 days, as well as advise on raising employees' security awareness.
Social engineering testing and remediation
We help remediate social engineering risks identified as a result of mock social engineering attacks.
Why Social Engineering Is a Cybersecurity Concern Number One
Social engineering risks embrace all the negative consequences of security breaches: theft of valuable assets like intellectual property and money, public embarrassment, loss of client trust, operational downtime, litigations, and fines for non-compliance. At the same time, the success rate of social engineering attacks is incredibly high. It remains the most efficient way to get around a company’s cyber defense.
|
82% of security breaches involve the human element. (Verizon Data Breach Report) |
90% of cyber attacks target a company’s employees, not technology (Arctic Wolf) |