Phishing Social Engineering

Phishing employee awareness

Phishing Penetration Testing

Minatio's Social Engineering Phishing Penetration Test reviews and evaluates user awareness of specific information security policies and procedures. The primary goals of this assessment are to:

  • Provide management with an understanding of the level of risk introduced by end users.
  • Provide recommendations and details to facilitate a cost-effective and targeted mitigation approach.
  • Create a basis for future decisions regarding information security strategy and resource allocation.

 

Why perform a social engineering phishing penetration test?

  • To evaluate how easy is it to illicit sensitive information from end users?
  • To assess how effective your information security training and awareness program is?
  • To test which department is most vulnerable to social engineering?
  • To help measure employee's retention of your information security policies?
  • To evaluate how do we compare to other companies in your sector?
  • Performing this scope on a regular basis will also help address specific regulatory requirements, such as PCI DSS.

Phishing Penetration Testing Scope

Minatio's remote social engineering techniques include may techniques which will be agreed within a scope agreement such techniques as:

  • Email — Users are engaged remotely via email and tested if they will interact with untrusted links, websites, or requests. Sensitive information will also be requested.
  • Telephone — Users are engaged remotely via the telephone and are tested if they will disclose sensitive information such as their passwords.

The specific attacks selected for this engagement are based upon the specific needs and requirements of each client.

Methodology:

Penetration Testing: Phishing

For Email-based Social Engineering, Minatio requests our client provide a list of email addresses to be tested. A custom email will be crafted and sent using a spoofed source email address to each employee. The email message will encourage the user to perform a variety of non-secure activities such as clicking on a link or visiting an unauthorized website. The activity is recorded and presented. Our clients can additionally choose not to provide a list of email addresses and Minatio will find all email addresses publicly available.

For Telephone-based Social Engineering, Minatio requests out client provide names and telephone numbers of enough employees so that sample employees can be contacted and persuaded to compromise their password. A limited number contacts are usually enough to gauge the effectiveness of training throughout the organization.