Key Challenges & Social Engineering Examples
Social engineering has become a common tactic for threat actors to gain access to sensitive information in today's evolving threat landscape. A 2022 report by the UK government's Cyber Security Breaches Survey showed that nearly 39% of UK businesses and charities were targeted by social engineering attacks in the past year.
These attacks are designed to exploit weaknesses in an organisation's processes, making them difficult to detect and prevent compared to traditional attacks that focus on exploiting technology. Some of them include includes Quid pro quo, Baiting, Email Phishing attacks, Voice phishing, Vishing, Smishing, Whaling, Tailgating, Pretexting, Impersonation, Road apple, and BEC.
Agreeing, organisations often invest a large portion of their security budget in technology, making it the most difficult to breach. The question simply is, how do we reduce the attacks on our people and processes? The answer is not far-fetched - reverse engineering through social engineering tests and remaining up to date with the latest social engineering tactics.
Types of Social Engineering Testing
On-Site Tests:
Onsite social engineering tests are designed to evaluate an organisation's security posture against social engineering attacks that occur on-premises. Here are some types of onsite social engineering tests that organisations can perform: Tailgating: The social engineer attempts to follow an employee through a secure door or checkpoint without proper authorisation. Badge cloning: The social engineer attempts to gain access to secure areas by copying an employee's ID badge. Physical security bypass: A social engineer attempts to go around physical security measures. Examples of these measures include cameras and security guards. This is done to gain access to secure areas.Off-site Tests:
Offsite social engineering tests evaluate an organisation's security posture against remote attacks, such as phone or email attacks. They involve a simulated attack against the organisation's employees or infrastructure without physical presence. Some types of offsite social engineering tests include: Phishing emails: The social engineer sends fraudulent emails that appear to be from a reputable source, to trick the recipient into divulging sensitive information, such as login credentials or financial data. Vishing: The social engineer makes phone calls, posing as a trusted third party, to gain access to sensitive information. Smishing: The social engineer sends text messages that appear to be from a reputable source, to trick the recipient into divulging sensitive information.Risk Crew's Bespoke Social Engineering Penetration Test
Risk Crew has over 15 years of experience in designing and implementing successful simulated social engineering attacks across various business sectors. Our skilled social engineering artists can address all attack vectors related to your business's employees, vendors, and stakeholders. We customise each project's time scale, objectives and follow a strict methodology to ensure that all objectives are met within the agreed budget. Our social engineering assessments are conducted using the following information-gathering methods.Dedicated Social Engineers
Our experienced security testing engineers have worked for leading global organisations and implemented detailed Social Engineering Testing methodologies, ensuring they can effectively assess your business’s capabilities to detect and mitigate attacks against your systems.On-call Advice Assistance
We don't just stop at delivering a comprehensive report. We go the extra mile by offering expert advice and support for 30 days after the report submission. Our team is on standby to help answer any questions or concerns that arise during the implementation of remedial actions to minimise risks and safeguard your systems.Detailed Report
Our reports are bespoke and provide details of specific vulnerabilities identified, how they were identified, methods and tools used to identify them and visual evidence if applicable. This is not a template, but a carefully curated document that defines objectives and provides measurable results.Customer Promise
With Risk Crew's social engineering penetration testing solution, you can expect an unmatched level of service that comes with a 100% satisfaction guarantee. Our testing methodology is designed to identify potential vulnerabilities and security risks that may otherwise go undetected.Workshop for Stakeholders
To guarantee that relevant business stakeholders understand the report's results, we present them in a workshop. The workshop serves as an opportunity to engage with stakeholders and address any concerns they may have.Retesting Included
We offer to retest to verify remedial actions were effective. Upon completion, we’ll provide you with a summary report verifying remedial measures have been implemented.Our Qualifications
Best Practice
Risk Crew follows best practices including OWASP and NISTAccredited
Engineers carry CREST, C√SS, C│EH and GIAC credentialsCertified
Engineers hold CISSP, CISM and CRISC certificationsSubject Matter Experts
Risk Crew engineers are SMEs with published articles in industry journals & magazinesBenefits of Conducting Regular Social Engineering Tests
- Benchmarking the security awareness level of your end-users
- Identifying operational and business process weaknesses that could be exploited for unauthorised access
- Spotting vulnerabilities that may have been overlooked in your people, processes and policies
- Providing invaluable insights into the actual level of security that your information security risk management programme provides
Request a Security Testing Quote
Our experts will contact you to discuss your specific requirements
Frequently Asked Questions
- Helpfulness: Our innate willingness to want to help others.
- Obedience: Our inclination to comply with the law, a direct request or order from someone in a perceived position of authority.
- Fear: An unpleasant emotion that is caused by the idea that something or someone can cause us harm.
- Greed: A selfish desire for personal gain.
- Pretexting: Masquerading as someone else
- Baiting: Enticing the victim with promises of something of value
- Blackmailing: Threatening to reveal something that the target wishes to be kept secret
- Offering Quid Pro Quo: Promising something to the victim in exchange for the victim’s help
- Verify that the person is who they claim.
- Verify that the person is a current employee or has a need-to-know relationship with the company.
- Verify that the person is authorised to make a request.