Social engineering techniques such as phishing and pretext calling are commonly used to obtain non-public information or unauthorized access to an institution’s information systems. Social engineering requires limited technical skills and can be performed with very limited resources.
Young & Associates, Inc. offers several options for evaluating and improving the effectiveness of your institution’s employee training program in regards to social engineering. Our consultants can perform a one-time phishing test or pretext calling test as part of a Vulnerability Assessment or IT Audit, or we can perform quarterly Phishing Training.
One-Time Phishing Test
For a one-time test, our consultants will send phishing emails in an attempt to manipulate employees into providing information about the institution’s customers and information systems. We will attempt to obtain sensitive information and/or unauthorized access to the institution’s information systems using the information provided by employees. Unauthorized access commonly includes access to employee email accounts, remote access to the network, or access to web-based applications.
Phishing Training Service
For ongoing information security training, we offer a quarterly Phishing Training Service. Unlike do-it-yourself services that require someone at your institution to develop their own phishing scenarios, send emails and monitor the results, our consultants do all of the work. We have already developed highly effective training scenarios specifically for financial institutions. Our consultants send the phishing emails, monitor the results, and provide a report of the results to your institution’s management team. As a result, your institution receives a customized phishing training program for your employees.
During this assessment, our consultants will place phone calls to a sample of employees in an attempt to manipulate them into providing access to the institution’s information systems. This test will evaluate the institution’s employee training program and vendor authentication procedures. During this testing process, our consultant will pose as a vendor of the institution and attempt to gain remote access to employee workstations.