Social engineering objectives
One of the techniques most commonly used by cybercriminals to obtain initial access to internal company systems is through social engineering. This is because it is often easier, cheaper and faster to find a user vulnerable to these attacks than an exploitable vulnerability in the infrastructure. The results of these attacks are very often seen in the media as Ransomware infections, cyber scams, CEO fraud, etc. Tarlogic's social engineering services simulate fully customized attacks with the goal of improving our customer´s capabilities against these types of attacks.
social engineering testing
At Tarlogic we help our customers to improve their security against this type of attack. Our social engineering services use two approaches:
Through social engineering attacks with the objective of helping users to detect and manage in the right way this type of attacks. The methodology defined by Tarlogic employs the same attack vectors used by cybercriminals, and once a successful attack has been achieved, an impact awareness message is provided, to provoke a reaction to help to learn from mistakes and prevent them from happening again.
Used to evaluate a company's level of maturity against social engineering attacks and thus define the level of risk. This type of testing is beneficial when deciding to implement new measures or to evaluate the results of previous campaigns.
General description about social engineering services
Tarlogic's social engineering services may employ different attack vectors:
Evaluates the willingness of users to be victims of phishing campaigns. Through this type of campaign, metrics are obtained on user behavior in terms of opening malicious emails, clicking on links, downloading dangerous content or providing credentials.
One of the most effective methods to obtain information is to ask for it. Vishing tests the maturity of users in terms of providing confidential information to strangers or to someone claiming to be trustworthy through a phone call.
In recent years, cybercriminals are using social engineering techniques based on mobile devices. Users are more likely to follow a link received by SMS or through another messaging app (e.g. WhatsApp), considering them secure means.
Aimed at specific targets within the company such as departments handling sensitive information or managers. A specific campaign is defined that could use mixed techniques: for example, phishing and vishing at the same time.
Social engineering FAQs
What does social engineering mean?
A social engineering attack seeks to obtain confidential information or penetrate a company’s technological infrastructure by manipulating its employees. This manipulation can be carried out by exploiting technical flaws (vulnerabilities) or solely by deception, using a well-designed pretext.
What are the 4 types of social engineering?
Social engineering attacks can be classified on the vector used for deception of the victim. There are four min types of social engineering types:
- Phishing – using email to deliver malicious content that if opened by the victim may compromise their system or disclose confidential information. Different subtypes of phishing exist as spear phishing targeting a selected group of victims, or whaling targeting VIP of a company.
- Vishing – using voice calls to persuade the victim to disclose sensitive information on the company or credentials to access restricted platforms.
- Smishing – using SMS text messaging or social media, to deliver malicious links.
- Physical – in this type of attack it is attempted the physical access to company’s capabilities. For example, attempting to reach server rooms or archives.
What are the 3 common methods of social engineering?
The most used method, given its extension of use and ease to create the attack vector, is e-mail; this practice is known as phishing. Each employee usually has a company email through which they receive important information about their work, and for this reason the employee must always be aware of the emails received in their inbox. For this reason, if a phishing email reaches inbox, there is a high chance that it is open.
Another method broadly used is the smishing, which uses SMS to deliver malicious links to victims. This method is used mainly to target companies’ clients, impersonating the company (for example banks, or logistic firms).
Also, voice calls are used by social engineers to attempt get sensitive information. In these calls the social engineer may impersonate IT support, company’s directives, or providers. This method of social engineering is called vishing.
What does a social engineer do?
The social engineer studies companies’ environment, including employees, suppliers, clients and any other third party (OSINT). The purpose is to identify victims or group of victims which have the access or information the social engineer is pursuing, and after to build pretexts that can be effectively used for deception of those victims.