Social Engineering
Pen testing icon

Social Engineering Testing

Evaluate how effective your policies, procedures and people would be in response to a social engineering or phishing attack. 
  1. Home
  2. Services
  3. Penetration Testing
  4. Social Engineering Penetration Testing

Service Summary

By working with Bridewell to complete a social engineering test, you can gain insight into how capable your employees are at recognizing and responding to social engineering and whether your organization's existing policies are effective at stopping these threats. This is fundamental to identifying vulnerabilities and improving procedures that mitigate the risk of attacks such as phishing, impersonation, and relationship building. 

  • An Assessment of People and Technologies. Bridewell reviews the processes you have in place to improve people’s awareness of social engineering techniques.
  • A Non-Judgemental Assessment. Our penetration testers will not use our findings to blame individuals within the organization and instead provide constructive feedback and support.
  • A Complete Range of Penetration Tests. Our tests can assess your organization's security from technological controls to people, processes, and procedures.
  • Tailored Engagements for Any Goal. None of our assessments are ‘out-of-the-box’; Bridewell collaborates with organizations to develop a framework that assesses specific areas of concern in line with business objectives.
  • Deep Sector Experience. Bridewell have worked with organizations in some of the most highly regulated and critical industries and understand the unique business challenges and risks faced by these sectors.
  • Highly Accredited for Penetration Testing. Bridewell is accredited by CREST, the OSCP, Zeropoint Security CRTOs, are Tiger-certified, and possess Certified Cyber Security Consultancy status with the National Cyber Security Centre (NCSC). 
  • A Realistic Simulation of Real-Life Attacks. Bridewell’s assessments are goal-oriented and accurately recreate the tools, tactics and procedures that would be used by a real-world attacker.

 

Key Challenges Addressed

 

Social engineering attacks take advantage of people’s natural inclination to help and support others. If organizations aren’t sensitive to this in how they address this form of attack, they can make individuals feel singled out when they were simply trying to be helpful.

This can discourage what are otherwise positive behaviors within the organization (such as responsiveness and collaboration) or disengage people from social engineering awareness or training programs. 

To address this, organizations need to minimize risk for the wider business without making people feel like they are being tested or reprimanded. However, organizations may lack the experience to deliver a people-first approach to social engineering training and awareness that ensures people feel fully supported.  

 

 

Social Engineering Testing

Key Benefits

Here are just some of the benefits of trusting Bridewell to assist with your Social Engineering Testing.

Targeted Awareness Training

Enhance your employees’ ability to identify social engineering attacks.

Review Information Security Policies and Controls

Determine how effective your information security policy is and how controls can be improved to identify and prevent attacks.

Understand Risk

Establish what an attacker could obtain from your business through a successful attack. 

A Valuable Component of Wider Penetration Testing

A social engineering assessment is a useful component within a wider testing process that can support red teaming of assumed breach testing.

How It Works

 Our social engineering penetration testing services begin with a detailed scoping session with you to identify key risks and what processes and procedures are currently in place to mitigate them. These processes and procedures should empower your staff to identify and prevent potential social engineering attempts.

Our assessments cover all types of social engineering, whether on or off-site:

  • Relationship-Building Attacks - A long-term social engineering attempt that aims to build trust that can later be exploited, often in support of supply channel attacks.
  • Baiting/ Luring - Physical media devices can are used to lure employees into connecting it to a computer system, often containing malware.
  • Physical Intrusion - Disguising as an employee or employing other social engineering techniques to get access to the premises and to reach valuable information, plant listeners, plug in network devices within restricted areas of the target company.
  • Impersonation - Disguising as an employee to get access to the premises and to reach valuable information, sometimes in restricted areas of the target company.

Once the assessment is complete the consultants will provide a detailed report alongside in- person or virtual workshops to help educate and support the organization. These workshops are designed to raise awareness around potential attack types and how they are conducted and provide simple steps to help mitigate these risks.

lightbulb cyber strategy

Our assessments cover all types of social engineering, whether on or off-site: 

Fraudulent communications, such as phishing emails, made with an employee from an attacker masquerading as a genuine and seemingly trustworthy source. 
Phishing conducted over the phone, such as an attacker pretending to be IT support. This is also known as voice phishing or phone phishing. 
SMS phishing often involves malicious links shared with employees under the pretense of a trusted source, such as a Multifactor Authentication (MFA) request. 
A long-term social engineering attempt that aims to build trust that can later be exploited, often in support of supply channel attacks.
Physical media devices can are used to lure employees into connecting it to a computer system, often containing malware.
A highly targeted attack which focuses on a specific individual within an organization.

Disguising as an employee to get access to the premises and to reach valuable information, sometimes in restricted areas of the target company.  

 

Disguising as an employee or employing other social engineering techniques to get access to the premises and to reach valuable information, plant listeners, plug in network devices within restricted areas of the target company. 

Once the assessment is complete the consultants will provide a detailed report alongside in- person or virtual workshops to help educate and support the organisation.

These workshops are designed to raise awareness around potential attack types and how they are conducted and provide simple steps to help mitigate these risks. 

FAQs

Social engineering is one of the most overlooked, and arguably the most dangerous security threat that an organization can face. In the context of cybersecurity, social engineering tactics are used to deceive or manipulate employees within an organization to divulge confidential or sensitive information for fraudulent purposes. 

There are many social engineering attack scenarios, but some of the most common ones organizations face regularly often relate to access controls and entry to the organization, relationship- based attacks are also on the rise through platforms like LinkedIn, Twitter and even organizations own sales leads. 

Social engineering tests can be used to assess cyber security posture by identifying vulnerabilities in an organization's people, processes, and technology. A good example of this may be building and access controls in a shared office space. Are they fit for purpose? Can an attacker just walk in, sit down and connect to your network? 

Ready to Take the Next Step?

We’re here to help, so to speak with our team and learn more about how Bridewell can benefit your organisation, just complete the below form and one of our experts will be in touch.