Ask These 10 Questions to Enhance Your Social Engineering Testing

TL;DR

Don’t wait for a breach to happen before you pursue social engineering testing. Be proactive and enhance your internal processes to increase your defenses against an attack. Get the most value out of your social engineering testing by asking the questions below to maximize results.

Phishing and Fishing	Physical Pentesting
What is the biggest concern you are trying to protect against? Are you already conducting phishing or vishing campaigns in-house or through a third-party service? If so, how often? Are there existing policies or processes in place for users to report suspicious calls, emails, or texts?	What is the most likely adversary you are trying to protect against? What are the most sensitive areas of your building, where security should be the strongest? What physical security controls do you have in place already? How much ability do you have to add new controls, or upgrade existing ones?

Get the full list of questions below. 

Introduction 

Your multifactor authentication (MFA) is tailored to your environment; you’ve got regular software updates down to a science; and your company’s social engineering training has boosted your team’s recognition of phishing attempts.

These efforts build up to a proactive security strategy that’s needed to combat today’s persistent social engineering attacks. But all this aside, one fact remains — social engineering is still the top method threat actors use to gain entry to a company’s IT environment and sensitive data. 

For security teams and their leaders, understanding how to effectively conduct social engineering penetration testing can be a game-changer. Not only does it help identify focus areas to enhance security, but it also builds a robust defense mechanism against the real threats that exist today. 

Learn why social engineering remains a prevalent threat, the difference between phishing/vishing and physical/on-site penetration testing, and how you can maximize the outcomes of your social engineering testing by asking specific questions. 

Whether you’re just learning more about social engineering testing, or you’re ready to start your next engagement, NetSPI is here to help. Let’s talk.

Social Engineering Attacks Are All Too Common

Social engineering leverages human psychology to exploit individuals to share sensitive information or perform actions that compromise security. Unlike traditional techniques threat actors use that target systems and networks, social engineering attacks target the weakest link in the security chain — people.  

This focus not only protects against breaches, but it also fosters a culture of security awareness among employees. 

73% of Breaches Are Due to Phishing and Pretexting

Social engineering remains a prevalent threat. Pick up any cybersecurity report or peruse data breach headlines, and you’ll quickly get a sense of the threat landscape.  

The Verizon Data Breach Investigations Report highlights that phishing remains the leading cause of incidents, accounting for 73% of breaches. This statistic has remained steady year over year, underscoring the persistent nature of social engineering threats. 

Another telling insight from the report is that “the median time for users to fall for phishing emails is less than 60 seconds.” This rapid response time emphasizes the importance of real-time awareness and training to recognize, report, and ultimately prevent social engineering attacks. 

Prioritize Social Engineering Defense 

Several indicators can signal the need to prioritize social engineering prevention within an organization.  

Phishing and Vishing 

On the phishing and vishing side, headlines like the high-profile MGM data breach spike interest in social engineering prevention. When a competitor or someone in your industry falls victim to a social engineering breach, it serves as a compelling signal to initiate social engineering testing. 

As technical controls grow stronger and the industry expands, it’s challenging to prevent social engineering tactics like phone calls. For example, while web application firewalls and network controls can block foreign threat actors, even a teenager in Florida can try to infiltrate through simple phone calls. 

Physical Pentesting 

On the physical security side, the COVID-19 pandemic significantly altered on-site security. With more people working from home, buildings are less populated, making it easier for unauthorized individuals to gain access because of outdated assumptions about physical security based on pre-pandemic conditions. 

The best advice we can give to avoid a data breach is to be proactive and prepare ahead of time. 

Social Engineering Penetration Testing versus Social Engineering Prevention Training 

Training and testing serve different purposes, but are both essential for a comprehensive security strategy. 

Social Engineering Prevention Training 

Popular subscription-based social engineering training services focus on educating employees to recognize and report phishing attempts. These sessions are broad in nature, accessible to all employees, and can be mandated organization-wide. 

Social Engineering Penetration Testing 

With social engineering penetration testing, security teams take a more sophisticated approach, resulting in deeper insights by seeing what could happen after phishing occurs. This type of testing evaluates how employees respond, identifies potential escalation points, and provides helpful context into the organization’s resilience against social engineering attacks. 

While training casts a wide net for general recognition and reporting, penetration testing evaluates specific attack paths for precise security enhancements.  

Questions to Ask to Enhance Social Engineering Testing 

Before conducting social engineering penetration testing, it’s crucial to define objectives clearly so you can maximize the value of your test. Here are some questions to consider for successful social engineering testing:  

Phishing and Vishing Penetration Testing 

1. What is the biggest concern you are trying to protect against? 
2. Are you already conducting phishing or vishing campaigns in-house or through a third-party service?  
   • If so, how often? 
   • Have you noticed any trends in failure rates, either higher or lower?  
3. If so, how do these trends inform your readiness for more advanced testing? Are there existing policies or processes in place for users to report suspicious calls, emails, or texts? 
4. Which team or department within your organization is most vulnerable to social engineering threats?  
   • Are these teams public-facing or internal only? 
5. How do these teams most often communicate?  
   • Email, phone call, chat message? 

Physical Pentesting 

1. What is the most likely adversary you are trying to protect against? Being specific about this helps tailor decisions around controls. 
2. How would you describe your company culture regarding physical security?  
   • Is tailgating a standard practice? Do employees feel comfortable challenging unknown visitors? Do people lock their workstations before leaving their desks? 
   • What policies and processes do you have in place to enforce these actions?  
   • What kinds of training have your employees received? 
3. How have your assumptions about physical security changed since the pandemic? 
4. What are the most sensitive areas of your building, where security should be the strongest? 
5. What physical security controls do you have in place already?  
   • How much ability do you have to add new controls, or upgrade existing ones? 

Use these questions as a starting point to guide your social engineering testing. Contact The NetSPI Agents for a conversation at any time.  

3 Types of Social Engineering: Phishing, Vishing, Physical/Onsite 

Social engineering testing encompasses a wide range of techniques designed to evaluate an organization’s vulnerabilities to human-centric attacks. From pretexting and baiting to tailgating and spear-phishing, the variety of attack methods is extensive. For a comprehensive overview, read Tech Target for the different types of social engineering attacks.  

Here, we’ll focus on three specific types of social engineering testing that NetSPI offers:  

• Phishing 
• Vishing 
• Physical pentesting 

Phishing 

Phishing tests involve email and text-based attacks to gauge employee awareness and identify procedural gaps. Campaigns can range from general security awareness to targeted spearphishing attacks aimed at compromising specific accounts. 

Vishing 

Vishing involves phone-based attacks designed to extract sensitive information. During these engagements, the tester may pose as a help desk employee or vendor to gather user credentials, internal data, or customer information. 

Social Engineering Best Practices: Phishing and Vishing Prevention 

• Assume Phishing Will Happen: Acknowledge the inevitability of phishing incidents, especially in large organizations; with thousands of employees, it’s statistically likely someone will click a malicious link. 
• Implement Strong Technical Controls: Establish robust security measures to mitigate the impact of successful phishing attacks, including multi-factor authentication (MFA) to add an extra layer of security. 
• Limit User Access: Enforce strict access policies to control entry points, preventing unauthorized access from non-corporate devices or unfamiliar locations. 
• Streamline Reporting Processes: Create an easy, user-friendly system for employees to report suspicious activity and phishing attempts, minimizing reliance on traditional help desk procedures. 
• Verify Identities: Encourage staff to confirm unexpected communications via secondary methods, such as sending a quick message through internal communication platforms to verify authenticity. 
• Conduct Regular Training: Regularly remind employees of the importance of identity verification and protocols for handling suspicious messages, fostering a culture of vigilance without fostering a climate of fear. 

Physical Pentesting 

Physical tests assess the effectiveness of on-site security measures. This includes evaluating physical access controls, employee awareness, and compliance with security policies. The goal is to minimize the risk of unauthorized access to sensitive areas. 

On-Site and Physical Security Best Practices 

• Focus on Physical Security First: Social engineering is a highly effective way to gain unauthorized access to physical locations. However, if an attacker can simply slip through an unlocked side door without having to talk to anyone, they will likely do that first. 
• Establish Verification Processes: Implement a defined process for employees to verify each other’s identities, especially for new or unknown employees requesting assistance. This can include additional verification methods beyond just badges. 
• Awareness of Tailgating Risks: Acknowledge that tailgating is an effective method for unauthorized entry into facilities. Create awareness among employees about this tactic and encourage vigilance. 
• Encourage Communication: Promote communication among employees for confirming requests made by unfamiliar individuals, enhancing the overall security of the workplace. 
• Provide Regular Training: Regularly train staff on security protocols and situational awareness to empower them to take initiative in verifying identities and reporting suspicious behavior. 

Enhance Your Social Engineering Testing with NetSPI 

Social engineering remains the top method for breaches, because humans are the unknown variable in what’s theoretically a secure system. Prioritizing social engineering penetration testing and prevention is essential to enhance your company’s security posture.  

By implementing strategies focused on equipping internal teams with the knowledge and processes to combat social engineering threats, you can build a resilient defense strategy against these persistent attacks. 

We’re here to help you take proactive steps today to secure your organization. Explore NetSPI’s social engineering services and contact us to strategically advance your approach.