Social engineering assessment

Our social engineering assessment helps businesses strengthen security by simulating social engineering attacks and training employees.

Understanding and combatting social engineering threats

Social engineering exploits people’s natural tendencies to be helpful, making even the most well-trained teams vulnerable if they aren’t equipped to recognise these threats. Cyber criminals often disguise themselves as legitimate customers or colleagues, manipulating your staff into revealing sensitive information. To combat this, it’s crucial to continually educate and test your employees on the latest social engineering tactics.

By fostering a mindset that balances customer service with vigilance, you empower your team to recognise potential threats and protect your organisation from malicious manipulation.

Two cyber security consultants engaged in a discussion while working on their computers, emphasising collaboration in tackling social engineering challenges

Methodology

Planning and reconnaissance

Cognisys will work closely with your team to understand your business operations and further information, such as your software stacks, to help plan the phishing campaign.

The goal is to tailor a convincing phishing attempt by understanding the target’s structure, behaviours, and vulnerabilities. A domain will be selected and purchased during this phase and utilised to send emails and the landing page.

Crafting the campaign

Utilising the information provided in the previous section, the team will work to craft a unique phishing email and landing page to meet your business needs. An example of this could be to pose as a member of IT support with a fake Office 365 login page being utilised.

More unique engagements can also be provided, such as posing as a customer attempting to get the staff members to open and execute a macro-enabled document.

Testing

After the phishing email and landing page are created and ready to be sent to the victims, Cognisys will reach out to you to check that the phishing campaign is delivered correctly and isn’t being blocked by any existing protections, such as Mimecast. You may be required to whitelist the phishing domain.

Execution (phishing delivery)

Once the message is ready, it’s sent to the target. The phishing email may contain a fake login page, a malware-laden attachment, or a link leading to a compromised website. This stage relies on the recipient not recognising the signs of a phishing attempt and taking the bait.

Reporting

After the phishing attack, whether successful or not, it’s crucial to analyse the outcome. In a controlled phishing engagement, the focus is on assessing how the target responded, identifying weaknesses in security awareness, and using the findings to enhance future training and security protocols.

Post-engagement training

Cognisys provides training that uses real-world scenarios to help your employees identify suspicious emails and links through interactive exercises like simulated phishing tests. This proactive approach enhances awareness and builds confidence, empowering your staff to serve as a vital security layer. Simulate attacks with Cognisys to strengthen resilience against social engineering.

source code review

Why choose Cognisys’ social engineering assessment?

Our testers are experienced in constructing and creating compelling social engineering campaigns. This allows the consultant to develop a bespoke campaign unique to the client’s requirements. This ranges from simulating an IT password reset request to imitating a customer sending a malicious document.

Post-assessment, we deliver detailed reports highlighting the findings from the social engineering campaign, such as the number of users interacting with the website, entering credentials or opening a malicious file.

FAQs

Regular social engineering simulations should be conducted as 98% of cyber attacks relying on social engineering as the initial entry point.Cognisys recommends performing annual tests against their employees to ensure that they are staying vigilant against social engineering techniques. If the client is found to be vulnerable to social engineering attacks, additional training can be provided along with more regular phishing attempts.

Cognisys can perform a wide range of social-engineering attacks, such as email phishing, voice phishing, SMS phishing and even more niche attack vectors such as QR phishing.

The length of time depends on the size of the campaigns and the list of users. A simulation of only one campaign will be roughly two days, with more extensive campaigns taking more time to create a run. Once the campaign is created, Cognisys will leave a gap of approximately a week to give the targets time to interact with the attack.

A standalone attack is differentiated due to the information provided during the planning phase, with little to no customer interaction being involved. The target list will be gathered from passive recon, and the best potential phishing campaign will be identified. Spear phishing attacks are crafted to target select individuals within the organisation to try and get a foothold on the network.

The customer may be required to whitelist a phishing domain so that the emails can correctly be delivered to the staff member’s inboxes. A simulated social engineering assessment aims to test the end-user to ensure their resilience to phishing attacks; therefore, they must receive the emails correctly. This assessment aims to target the staff members and not to verify that the current software protections are working as intended.

Let’s make things happen

Fill in the form and one of our team will be in touch for a no-obligation discussion or quote regarding your requirements.

info@cognisys.co.uk
Leeds office

5 Park Place
Leeds
LS1 2RU

info@cognisys.co.uk
London office

131 Finsbury Pavement
London
EC2A 1NT

LET’S TALK

Discover how we’ve helped leading organisations

RECENT UPDATES

In Parallel achieves ISO 42001 at breakneck speed

CASE STUDY

In Parallel achieves ISO 42001 at breakneck speed

Learn how we helped In Parallel achieve their ISO 42001 certification, boosting their market credibility.

The biggest cyber attacks and vulnerabilities from September 2024

NEWS

The biggest cyber attacks and vulnerabilities from September 2024

Insights and trends from recent cyber threats and vulnerabilities from September.

IT manager using SmartScan to prioritise vulnerabilities, organising tasks based on severity to enhance security efforts.

BLOG

What is vulnerability management?

In this blog, we discuss what vulnerability management is, the lifecycle from discovering weaknesses to prioritising, resolving, and continuously improving defences to minimise cyber risks.