GMI Logo


What is a Social Engineering Assessment?

A social engineering assessment is a test of an organization’s human vulnerabilities. Since people are often the weakest link in any security strategy, testing employees and associated security policies is a smart best practice. Assessments can test resilience to email phishing, vishing (voice calls), and on-site attempts to gain access to restricted areas and exfiltrate confidential data. This valuable assessment quickly identifies the efficacy of human-related security initiatives and which areas need to be addressed.

Types of Social Engineering Attacks

Every assessment engagement is tailored to your desires. We work with you to build and execute a meaningful campaign. This includes the creation of authentic-feeling attacks that are appropriate for your organization. It is also determining if there are specific attacks for which you’d like to focus. We regularly test these common attack types:

Phishing. The most common social engineering attack. An attacker sends links via email or social media to a spoofed website. The target is lured to the site in an attempt to capture information, including credit card numbers.

Spear Phishing. A variation on phishing, one with higher success rates. Falsified emails appear to be sent from a known or trusted source to trick the target into revealing confidential information or taking desired actions. A spear phishing attack targets something in particular. An attacker may engage in social engineering to impersonate those in management roles or coworkers in order to connect with you in a more convincing way. When an email from the CEO oddly asks for twenty gift cards, that’s spear phishing.

Vishing. Rather than using email to get you to reveal personal, or confidential information, vishing takes place over the telephone. An attacker is most likely to directly call a company or department impersonating an internal employee or external partner in need of information or help. By spoofing a legitimate phone number, an attacker may lead the target to believe the call is legitimate and disclose information.

Physical Attacks. Bad actors will use any means at their disposal to manipulate others into unauthorized data access. This includes physically testing how well employees follow security procedures. Some common physical attacks are USB drops that tempt employees to plug in malicious devices, tailgating employees with badge access into restricted spaces, and impersonating IT staff or vendors.

When Should You Do a Social Engineering Assessment?

Clients find this service most valuable when they want to test that employees are following established protocols and to discover vulnerable gaps. Testing provides valuable information about the weakest link in your security chain. It also helps validate the effectiveness of security awareness training. And simply by testing, you’ll drive awareness and participation in security procedures.

Next Steps

Let’s talk about how a Social Engineering Assessment can benefit your organization.

Speak with a Pro