Social Engineering Testing Services

Test Your Personnel Against Their Susceptibility to Deception

Artifice Security is the leading penetration testing company for electronic social engineering and physical social engineering assessments. Our expert security consultants have performed social engineering engagements for every industry, including government agencies, military branches, and Fortune 500 companies. When you want the best social engineers in the game, Artifice Security stands at the top.


What is Social Engineering?

Social engineering is the act of exploiting human weaknesses to gain access to protected systems and personal information. Social engineering relies on manipulating individuals rather than hacking systems and requires the individual to perform actions for the social engineer that the individual would not typically perform independently.

To help train your staff on recognizing, reporting, and stopping social engineering attacks, you need a third-party vendor to perform social engineering against your company in a controlled fashion. This assessment helps gauge your organization’s overall risk to social engineering and lets you know where training is required.

what we do

What Does Artifice Security Provide for Social Engineering?

Artifice Security utilizes a combination of human and technological approaches to simulate social engineering attacks against your organization. We can provide advanced phishing simulations for electronic social engineering, physical social engineering to test your onsite personnel or a combination of both. Artifice Security tailors each assessment to your organization, customers, and employees.

tepes of attacks

Types of Social Engineering Attacks

Social engineering attacks are the most common attack vectors against organizations. According to Verizon’s annual Data Breach Investigations Report and viewing data from the Privacy Rights Clearinghouse, social engineering accounts for 70%-90% of all successful data breaches. These successful data breaches are due to malicious actors being more successful at breaching networks through social engineering than traditional exploitation of external networks and web applications.

Recognizing a social engineering attack is one of the best methods to protect your business. Here are the most common social engineering attacks that we’ve seen in the past few years:

01. Phishing

Phishing is the practice of sending emails that appear to be from trustworthy organizations to trick people into disclosing personal information like passwords and credit card data.

Phishing typically involves sending emails that try to reach as many people as possible and aren’t too specific for anyone. There are, however, a few varieties of phishing that focus on particular targets.

  • Spear Phishing – Spear phishing targets specific people or groups inside a company. It’s a dangerous variation of phishing that leverages emails, social media, instant messaging, and other platforms to persuade users to reveal personal information or take activities that compromise networks, cause data loss, or result in financial loss. While traditional phishing techniques employ sending out bulk emails to random people, spear phishing focuses on specific targets and requires more research by the attacker.
  • Whaling – Whaling involves targeting the executives at the organization, such as the CEO, VP, CFO, and other high-profile targets, as they are considered the “large fish” of the organization.

02. Vishing and Smishing

Vishing is similar to phishing, but the malicious actor uses phone calls or leaves voice recordings to trick individuals into releasing personal information such as passwords and credit card data.

The caller frequently threatens or scares the victim into providing personal information or money. Vishing scams like this usually target the elderly, but anybody without training may fall victim to one.

Smishing (short for SMS phishing) is comparable to and uses the same strategies as email phishing and vishing, except it uses SMS/text messaging instead of email.

03. Pretexting

Pretexting is a form of social engineering in which the attacker creates a situation in which the victim feels obligated to cooperate. The malicious actor usually impersonates someone in an authority position to persuade the victim to follow their instructions.

A malicious actor may mimic corporate executives, auditors, investigators, or any other persona they feel would assist them in obtaining the information they need during this sort of social engineering tactic.

04. Tailgating and Piggybacking

Tailgating is the practice of closely following an authorized user into an area without being seen by that person. A malicious actor can tailgate another person by catching the door before it closes or placing an object to stop the door from closing.

Piggybacking is very similar to tailgating. The critical distinction between the two is that the authorized user is aware of the other person in a piggybacking scenario and allows them to piggyback off their access. A friendly authorized user may feel forced to hold a secure door open for someone carrying a box or a construction worker entering with a ladder.

05. Baiting

Baiting uses the victim by placing something alluring in front of them. This item could be a malicious actor throwing USB drives on the ground near the target organization or handing them out at a conference. When the victim user inserts the USB drive into their computer, a file that may look like photos or a word document could be an executable that installs remote access malware.

06. Quid Pro Quo

Quid pro quo (Latin for “something for something”) is a social engineering technique where the attacker seeks to exchange information for services. A malicious actor may contact the organization while spoofing the IT department’s phone number hoping to reach a person with a technical issue. After the attacker connects to a person needing help, the attacker will ask for their password while pretending to troubleshoot their computer.


Social Engineering Methodology


Define the Scope

Before starting the social engineering assessment, Artifice Security will collaborate with your team to determine what type of social engineering assessment you are looking to receive. We will communicate with your team to understand the kind of assessment you expect and the best fit for your organization.
  • Determine if electronic social engineering, physical social engineering, or both are required
  • Outline which users, if any, are exempt from social engineering
  • Determine testing dates and times for the social engineering assessment
  • Determine what is out of bounds, if anything.

Information Gathering / Recon Phase

During the information-gathering phase of the assessment, Artifice Security will perform passive information gathering against your organization using Open Source Intelligence (OSINT) tools and techniques. This public data can help us determine undiscovered risks to your company and show you what information is out there that you may not know exists. This targeted intelligence includes the following checks:
  • Gather domain information and URLs for your organization
  • Searches for publicly exposed documents such as PDFs, DOCXs, XLSXs, and PowerPoint documents that may contain sensitive or customer data without your knowledge
  • Searches on the Internet and Darkweb for leaked credentials within password breach databases
  • Checks to find similar domain names as yours to determine your risk to phishing (threats to domain spoofing)

Create Pretext Scenarios

Artifice Security will use information gathered to create a pretext scenario that best fits your organization. Each pretext scenario is customized based on your company profile and what product or service it delivers, along with discovered research.

Exploitation Phase

Artifice Security will send phishing emails to all employees in scope for electronic social engineering. Each phishing email is unique and allows us to determine which employee opened the email, which employee clicked the phishing link, and which employee submitted credentials. Each landing page is customized to your company and may reflect authentic login pages for third-party services or a login page belonging to your organization.

Our penetration testers will attempt to bypass physical controls and gain access to each facility in-scope for physical social engineering. Consultants may use tailgating, piggybacking, lockpicking, door bypassing, and RFID cloning.

  • Launch phishing emails that were pre-approved by your organization
  • Lure employees to a customized landing page that ties in with the created pretext
  • Capture credentials
  • Test external services using the captured credentials to show real-world risks
  • Detect gaps in physical security controls
  • Bypass doors, locks, security systems, and cameras
  • Clone RFID cards and use the data to create a new RFID card
  • Bypass security staff and employees
  • Gain access to sensitive areas of the facility such as the server room or other areas specified during the scoping phase

Reporting Phase

Artifice Security will gather all information about your organization and social engineering results during the reporting phase.

Reporting begins with an executive summary which gives a layman’s explanation of the steps performed and conveys the overall risk about your organization. In addition to a summary of results, we also provide a list of positive findings found during testing. Next, the report explains how we determine criticality and risk for each vulnerability so you can better understand what to prioritize for remediation and how we rate severity for each finding.

Further in the report, we break down the social engineering results and steps in technical detail, including a summary of the finding, affected users, proofs-of-concept, and remediation steps.

In addition to the report, Artifice Security also provides you with a customer-facing report and attestation letter if needed.

  • Executive Summary that easily conveys risk
  • Vulnerabilities rated by criticality
  • Detailed walkthrough showing how we performed each social engineering step
  • Best practice remediation steps that are customized and realistic based on your current environment


Frequently Asked Questions

What is the most common social engineering test that customers want?

According to statistics and current trends, phishing is the most common form of social engineering, with 56% of IT decision-makers saying targeted phishing attacks are their top priority. Therefore, we provide similar tests for our customers that mirror these real threats in a controlled and safe fashion.

On average, we find that targeted users open more than 30% of phishing messages for phishing social engineering, with 12% of those users clicking on the malicious link or attachment. As organizations continue their social engineering training, this number radically drops after performing additional testing with them.

When you are performing phishing, what should we say to our staff if they call us about your phishing email?

We recommend having the employee tell you all the details about the phishing email and have your team respond accordingly. We also ask you not to block the phishing domain we own until after the assessment is complete for the phishing social engineering assessment. When performing phishing, we prefer to test against all employees instead of a limited number to give an accurate statistic about the percentage of employees vulnerable to phishing. This way, it will better indicate where and how much training is needed.

What are the benefits of a social engineering assessment?

Employees are becoming a more common target for cybercriminals looking to get access. If an attacker can gain access to the user’s credentials, they will have immediate access to everything the employee has. Controlled spear-phishing attacks are used to assess staff security knowledge and incident response and the safeguards put in place to reduce the effect of a successful breach. The most effective way to validate it works is to do thorough social engineering assessments.

Which employees should be tested?

In an ideal situation, all of the employees should be tested. This way, we can give you a complete statistic on how many employees are vulnerable to social engineering.

There may be instances when specific workers cannot be included in a social engineering penetration test, but all remaining employees should be considered prospective targets. An attacker will seldom target all workers because doing so raises the chances of being discovered. Our social engineering penetration testing specialists will choose targets from the list to recreate these settings if there is a reason why all employees cannot be targeted.

Leading-Edge Cybersecurity