Phishing & Social Engineering Testing
Professional testing services to test your users and detection capabilities to social engineering attacks such as phishing. Discover your weak users, use failures as a training opportunity, and prepare your organization for the most common threats.
Our Phishing & Social Engineering Services
Email Phishing Assessment
We simulate a range of attacks and techniques
We call your users and attempt to elicit sensitive information
SMS Text Phishing
We send SMS phishing messages to your users
Physical Social Engineering Assessments
We visit your facility and attempt to bypass security and gain access to resources
Select your testing scope and determine pricing using our online quote builder
Assess the security level of your staff
Our phishing and social engineering testing is a service where our team of ethical hackers use real-world social engineering tactics to test your users and detection capabilities to human-based attacks such as phishing. These can be offered as a stand-alone engagement, or we often perform these in conjunction with a network penetration test to assess broader risks. This exercise can help discover your weak users, allows you to use failures as a training opportunity, and prepares your organization for a very common attack vector. The best defenses are well tested against a good offense, ensuring proper preparation when real attacks occur.
Technology environments require providing end-users with access and privileges, and malicious entities continually attempt to trick unsuspecting users to violate security policy and divulge or otherwise grant this access. Having an independent team of experts audit your defenses to various social engineering attacks is a valuable tool that uncovers your vulnerabilities and greatly increase your level of security.
Email Phishing Testing
Our email phishing assessments test your systems and users to their susceptibility to various levels of email phishing attacks. We can either mine the internet for email addresses, as a malicious hacker would, or we can be provided a list to ensure full coverage of users. We send our emails in stages, starting with untargeted spam-type emails, which are typically easily detected and blocked, and progressing to highly-targeted spear-phishing campaigns that use mimicked domains and websites to attempt to bypass detection filters and trick end-users. We modify and alter our techniques and strategies based on results as the testing occurs to ensure the best results. This allows us to not just assess if your users will fall victim, but at what level of sophistication an attack needs to be at before security is breached. The emails will attempt to get the user to either visit a ‘malicious’ website, open a ‘malicious’ attachment, or respond or otherwise return confidential information to us. We provide a complete report of the results, including overview graphics, composite totals, and granular results for all individuals tested.
Phone Phishing Testing
Our phone phishing assessments (also known as vishing) test your users to their susceptibility to various telephone-based social engineering attacks. We will call users and attempt to solicit information from them over the phone. We can randomly call users in the organization or be provided a list of users and numbers to call. We use both a combination of live human calls as well as automated calls, as both techniques are used by malicious hackers and each can have different results. Similar to the email attacks, the phone attacks are modified and changed as the testing occurs, based on results. We have several typical scenarios we utilize, and we vary the particulars. Example scenarios include a phone call from tech support or the I.T. Department, a call from a superior or someone higher in the organization, or a call from someone affiliated with the company. As with all of our social engineering attempts, the phone calls are not overtly disruptive to the end-users, taking less than a minute of their time typically. We provide a complete report of the results, including overview graphics, composite totals, and granular results for all individuals tested.
SMS Text Message Phishing Testing
Our SMS text message phishing assessments (also known as smishing) test your users to their susceptibility to various text message-based social engineering attacks. Text messages are a less common attack technique, but they are growing in popularity and are often very successful since many users are less aware of their existence and thus less suspicious. We attempt to solicit information from the users, such as access credentials, two-factor authentication codes, or other confidential information. With this test, it is best to be provided with a list of users and phone numbers that we are authorized to contact. Since message rates may apply, it is important to consider the phone lines used and who owns these phones and it is usually best to do it on company-provided devices. We provide a complete report of the results, including overview graphics, composite totals, and granular results for all individuals tested.
Physical On-Site Social Engineering Testing
Our physical in-person social engineering assessments test the staff at your facility or facilities to their susceptibility to various social engineering attacks. If attackers are able to gain access to a facility, the types of cyber-attacks they can perpetrate can be very damaging and difficult to detect. These include placing physical key logging mechanisms in computers between the keyboard and the machine that surreptitiously send all keystrokes to the attacker, planting a device that creates a remote connection for the attacker, who can then potentially steal network traffic and data, or gaining direct access to workstations and network resources. Grid32 can assess the security of our client’s facilities and physically attempt to bypass security measures by social engineering security staff and employees. The methods vary based on the building and security setup, but possible scenarios include attempting to gain access to the building by posing as a delivery person or courier who needs to access the building or attempting to enter the building through side-doors or entrances used by staff to exit for lunch or smoking breaks. The typical goal is to attempt to determine if the use of social engineering and other non-intrusive techniques can allow our engineer(s) to gain access to network resources, such as workstations, server, printers, or internal network ethernet ports. As with all of our social engineering exercises, we are always sure that we keep any disruptions to a minimum and respect the need for the client’s productivity and general operations to not be affected. We provide a complete report of the results, including overview graphics, composite totals, and granular results for all individuals tested.
Post-test Cybersecurity Awareness Training
As a follow-up to our testing, or as a stand-alone service, we provide Cybersecurity Awareness Training for Employees. Using the results of the phishing and social engineering assessment can have a pronounced impact on motivating staff to understand and comply with security policies. For more information visit our training page.
“We regularly train our users, but the experience of having a targeted spear-phishing attack that many of them fell for really helped build awareness.”
“The ability to see how our firewalls and mail systems responded and how our users responded gave us great perspective into where we could improve our defenses. Ten out of ten for Grid32!”
“Performing this test and proving that we were vulnerable allowed me to finally gain the understanding I needed from our Board to fund and actuate further defenses for phishing attacks. Thank you to the team at Grid32 for a job well done.”
Get in touch with a cybersecurity expert
We will never share your information or use it for unwanted solicitations.