Social Engineering Risk Assessments

From clicking on potentially malicious links to compromising credentials via a fake website, email phishing is one of the most common ways hackers can compromise your business. Test your employees’ knowledge and compliance with security procedures in response to common ruses delivered via email with an email phishing risk assessment. Foresite will emulate common types of phishing attacks by sending emails to in-scope users in your organization attempting to request information such as usernames, passwords, and other sensitive data in a secure and controlled method.

Not all hacking attempts begin on a computer. Phone social engineering attacks attempt to gain the target’s confidence and convince them to act or provide information that could compromise your organization. In this risk assessment, Foresite professionals will target in-scope personnel to identify what information and access can be gained through common phone social engineering ploys.

Hackers have evolved with technology moving from simply sending malicious emails to now targeting organizations through employee cellphones. Like traditional forms of phishing, smishing attacks are aimed at installing malicious code or securing sensitive data from unwitting targets. Foresite helps organizations understand where they are most vulnerable to SMS phishing attacks.

Some hacking practices rely on access to physical buildings and infrastructure. From holding the employee entrance door open for an unknown person (known as “piggybacking”) to providing a “vendor” with unrestricted access to the building, there are many ways your physical building security can lead to a cyber attack. Our physical security social engineering risk assessment will not use any destructive entry methods, damage property, or impersonate public safety/government officials, but can help you discover the training gaps that put your physical assets at risk.

Often a part of physical security testing or a phishing attempt, a zero-knowledge attacker may use publicly available information to impersonate a trusted individual like a new hire, repair person, vendor, or other party in attempts to elicit information or gain access.

Instead of targeting an entire organization or address book, a spear phishing attempt is crafted with a specific target in mind. The intention of these attacks is to secure access or information that requires a specific user to be compromised and are often more specific and harder to detect than a general phishing scam.

One rouge CD or USB plugged into your network computer can compromise the entire system. This type of attack is often coupled with physical security testing to find out if employees are susceptible to plugging in an unknown disposable storage device that could contain malicious content.