Social Engineering

Carolinas IT and Trace Security work together to perform social engineering tests. Social engineering involves testing your employees’ security awareness when confronted with an unauthorized third-party attempting to manipulate the employee into disclosing confidential information. Such tests provide insight into how effective your organization’s policies and procedures are at mitigating social engineering threats, how well the employees adhere to established policies and procedures, and the level of security awareness that exists among employees.

Expert information security analysts who have conducted hundreds of social engineering engagements for companies across a wide range of industries, evaluate the human factor, identify security issues that need improvement, and document compliance shortfalls.
We have designed both onsite and remote test methods. When onsite, our experts use various techniques, such as “Trusted Authority” disguises, to gain physical access to obtain records, files, and/or equipment that may contain confidential information. When performed remotely, our experts employ tactics, such as pretext calling, phishing and email hoaxes, that attempt to get employees to divulge user names, passwords, customer NPPI or other confidential information.

Onsite test services include:

  • Pre-engagement setup with client (includes project planning, scope, defining rules of engagement, information gathering)
  • Spoof emailing (if applicable)
  • On-site testing for:
    –Employee security and privacy policy awareness and adherence
    – Proper disposal of sensitive data
    – Access privileges
    – Sensitive area security
    – Device/system compromise
    – Violation reporting

  • Present preliminary findings to client core team through exit interview

Remote test services include:

  • Pre-engagement setup with client (includes project planning, scope, defining rules of engagement, information
    gathering)
  • Remote social engineering (dependent on scope)
  • Computer-based testing through email spoofing and phishing simulation
  • Phone-based, pretext call testing (dependent on scope)