Even the world’s most secure systems have the same common vulnerability as every other secure system in the world — people. Most cyber-criminals target humans before systems. Social engineering and phishing are among the most commonly used cyberattack strategies in the world for good reason: they work really well.
Truvantis uses real-world criminal strategies in an attempt to phish and manipulate your users into giving up classified information such as access codes or credentials. During training periods, our social engineering team can be deployed to phish a company’s users as often as monthly, until we’re no longer successful in getting access to your data.
How much should penetration testing cost? Our pen test cost guide summarizes average pricing and highlights factors that can help manage your spend.
Understanding how and why social engineering works can help users and employees learn to spot attempts and protect their credentials more vigilantly. A good grasp on today’s most popular social engineering strategies may also help users spot evolving future techniques.
Spear phishing is a more targeted type of phishing. Rather than sending mass emails, the criminal sends highly-targeted, personalized emails to specific individuals or companies based on research ahead of time using publicly available information like social media.
This growing threat is costing some companies millions of dollars in losses. Essentially, sophisticated criminals target specific employees like controllers and accountants (often when the CEO is away) to request an immediate wire transfer to what appears to be a trusted vendor or familiar account.
The criminal engages the victim with a made-up story or scenario. Previously-acquired personal details like the target's social security number or date of birth might be used to increase trust and gain more information.
The criminal builds confidence with a courier or parcel carrier to divert them to an alternate delivery location.
Like herding animals to a trusted water-hole, many consumers return to the same sites repeatedly. "Water-holing" involves identifying those sites and laying cybertraps for the user.
Baiting involves dangling something of interest in front of the victim such as a digital content download or even a physical object, like a data stick labeled "Q1 Layoff Plan." Once an employee opens it out of curiosity, it could infect the system.
In this scheme, the cybercriminal comes in a trusted guise and offers something beneficial in exchange for sensitive information. A caller could pretend to be IT support, for example, and offer a quick fix or update if the target briefly disables security protocols or shares a password.
An extremely low-tech tactic is simply following authorized personnel through a locked door to gain access to private facilities. Many employees or visitors do not question people following them through secured doors, assuming they have a legitimate reason to be there.
This method relies on a sexually attractive, possibly fictitious, character manipulating a user for confidential information or unauthorized access.
A criminal accesses the profile of a friend or celebrity (or makes a lookalike profile) and tries to get the target to click on a link.
A criminal might alter the content of a website, redirecting users to a phishing page.
The phisher attempts to put low-cost products or services at the top of searches, collecting payment card details from the "purchase."
The criminal builds a replica of a legitimate website, collecting confidential data from transactions the target attempts.
The phisher inserts him or herself between the target and a real website, collecting details from a legitimate transaction.
Common in CEO fraud, the criminal emails the target from what looks like a legitimate email address within the domain of the company the criminal is impersonating.
A reputable-looking link that redirects to a different site, exposing the computer to malware. This deception can usually be detected by hovering the cursor over the link before clicking, allowing the browser to identify where the link actually goes.
Malware prompts the user to perform an action that looks legitimate but allows unauthorized access through the local machine.
Phishing over the phone, with bad actors calling employees under false pretenses in order to gain unauthorized access to your system or sensitive information.
Phishing by SMS (phone-based text messages) or other text messaging services.
This type of breach to the physical security of companies is actually a very effective way of gaining access to your workstations, data centers, and more.
The odds are stacked against data security. Fortunately, security education can significantly reduce an organization's risk of becoming a victim to social engineering attacks. Train employees to better identify these attacks, understand how they work and the proper process for reporting them.
Options for social engineering and phishing security training are available for virtual and in-person training, for every size organization around the world. While the methods, vendors and information covered will vary, high-quality training programs will share the same basic elements.
Truvantis uses real-world criminal strategies in an attempt to phish and manipulate your users into giving up classified information such as access codes or credentials.
There’s no one-size-fits-all solution to modern security. Instead, our services provide the foundation for the industry’s best practices and security your business can count on when it matters.
Most organizations must conduct penetration testing for compliance and regulatory requirements. Incorrectly deploying the wrong vendor on a live security test can waste resources or worse, expose you more than when you started.
Before you hand over the keys to your digital kingdom, select a pen tester carefully. Look for a trusted partner that can demonstrate quality based on the five criteria outlined in our whitepaper.
