Electronic Social Engineering (using phone and email communications) is becoming increasingly popular when conducting security reviews. An organization such as a bank can have the best technological protection; however, if a hacker can call and trick your employee into providing a username and password then all of that protection was for naught.
Electronic Social Engineering testing is an assessment of how well your employees fare when faced with someone trying to trick them by email or phone into revealing information that allows a thief or hacker break into your organization.
The following is a sanitized sample of a recent Social Engineering engagement of a medium-sized bank in the United States that we will call “Acme Savings and Loan”. Acme and their external security testing contractor worked together to establish the “goals” of the assessment. In this case Acme wanted to test random sample of employees, branch managers, mid-level executives, and “gatekeepers”. Gatekeepers are the name for secretaries, switchboard operators, administrative employees, Human Resources, and other roles in your company that answer the phones or respond to inquiries about the organization from the public. Their roles are supposed to be friendly and helpful but often they are unsophisticated technically and offer the best targets for thieves and hackers.
