Social Engineering
Testing the human factor in security through realistic attacks on employees without technical vulnerabilities.
Psychological Tactics
Using psychological principles - urgency, authority, reciprocity for manipulation.
Multi-channel Attacks
Combination of email, phone, SMS and physical access for maximum effectiveness.
Real-world Scenarios
Scenarios based on current attacks used by cybercriminal groups.
Attack Types
Pretexting
Creating credible scenario (pretext) to obtain information - IT helpdesk, vendor verification, survey.
IT support impersonation, executive assistant, facilities management
Vishing (Voice Phishing)
Phone attacks mimicking banks, IT support or management to obtain credentials or information.
Caller ID spoofing, multi-call sequences, voicemail pretexting
Physical Social Engineering
Physical intrusion into building through tailgating, impersonation or badge cloning.
Delivery person disguise, contractor impersonation, maintenance access
Baiting
Leaving infected USB drives or QR codes in strategic locations to exploit human curiosity.
USB dropping in parking lot, malicious QR codes, fake charging stations
Quid Pro Quo
Offering service in exchange for information - IT support offering help, free audit, security assessment.
Tech support scam, free security scan, prize/survey offers
Tailgating / Piggybacking
Following authorized user into secured areas without own verification.
Hands full technique, urgent delivery, forgotten badge scenario
Psychological Principles
Authority
People tend to obey authority - impersonating CEO, IT admin or external auditor.
Urgency
Time pressure reduces critical thinking - "urgent password reset", "immediate action required".
Reciprocity
Feeling obligated after receiving "help" or gift - free IT support, helpful stranger.
Social Proof
People follow others' behavior - "everyone else already updated", "other departments confirmed".
Liking
Building trust and friendship before request - small talk, shared interests.
Fear
Inducing fear of negative consequences - "account will be suspended", "security breach detected".
Testing Scenarios
IT Helpdesk Impersonation
Calling employees as IT support requesting password reset or remote access.
Measures: willingness to share credentials, verification procedures
Executive Impersonation
Email or call on behalf of CEO/CFO with urgent request for wire transfer or sensitive data.
Measures: authority bias, approval workflows
Physical Penetration
Attempting to enter building as vendor, courier or contractor without prior authorization.
Measures: reception procedures, employee vigilance, badge checking
USB Drop Attack
Leaving USB drives with enticing labels in parking lot or lobby with tracking payload.
Measures: curiosity exploitation, USB device policy compliance
Success Metrics
Quantitative Metrics
- → Success rate (% compromised)
- → Information disclosed
- → Credentials obtained
- → Physical access gained
- → Reporting rate
Qualitative Analysis
- → Verification procedures effectiveness
- → Employee suspicion triggers
- → Response time to incidents
- → Policy compliance gaps
Deliverables
Detailed Report
- → Attack scenarios used
- → Success/failure breakdown
- → Audio/video evidence (with consent)
- → Vulnerable departments/roles
Remediation Plan
- → Policy improvements
- → Training recommendations
- → Technical controls
- → Awareness program design