Social Engineering Assessments

Category: Uncategorised
Published: Saturday, 22 October 2016 19:02
Written by Super User
Hits: 11680

Testing the Weak Link of any Security Program - its People

While necessary for any security program, technical assessments alone are an incomplete simulation of a real world cyberattack. Technology does not exist in a vacuum – people are the central component of any company process, and are often the primary gateway to sensitive data and processes.

Outer Orbit offers a range of expert-driven social engineering engagements for organizations looking to test their employees and associated security policies. Whether traditional phishing (email), vishing (voice calls), or on-site assessments and attempting access into the physical building, we have trained experts at the ready.


Social engineering is a deceptive attack where an attacker attempts to persuade users into performing an action, such as providing a password or clicking a link.

While social engineering is typically assumed to be delivered via phishing emails, these attacks can come in many forms, including phone calls, SMS messages, social media, and even personal interactions. Oftentimes these pretext techniques are enhanced using personalized information on the target – users are more likely to engage an email which refers to some information about them specifically. This critical research phase is what differentiates simple automated phishing tools and professional social engineering.


Social engineering is a major aspect of many real-world cyberattacks. From highly targeted spearphishing attacks to phony IT support calls, hackers use a range of attacks aimed at employees to gain unauthorized access.

Identifying a lapse in user education must begin with fully understanding the problem.


Understand risk from social engineering attacks


Prepare and train users against similar attacks


Set priority of security training for employees


Identify the level – and sources - of public information


Want more information before you get reach out? Download our social engineering sample report and see the deep, targeted approach to our engagements. No automated email spamming tools here!

While this is our standard reporting template, we understand that each organization has unique needs and can tailor the reporting process to custom specifications.


More than just Automated Spamming Tools

Phishing Assessments

Outer Orbit’s phishing engagements go far beyond the automated tools found in many comparison services, providing highly targeted, sophisticated scenarios for each client. Using research on both the client organization and its employees, our security experts create sophisticated campaigns which ensure the best assessment of user education.

Vishing (Voice Call) Assessments

Vishing attacks utilize voice phone calls to similarly coax a user into performing an unauthorized access, such as providing sensitive information or downloading an untrusted file. While these attacks are less common in the wild, vishing can be more effective when the attacker can establish an immediate, personal connection with the target users.

On-Site Assessments

While less well-known than email or phone social engineering, Outer Orbit’s on-site assessments utilize specialized security professionals to perform engagements in person. Specific techniques include ‘baiting’ the area with infected USB drives, tailgaiting employees through locked doors, and creating fake company badges to gain access to sensitive areas.


Similar to technical assessments, Outer Orbit utilizes a structured series of steps in social engineering campaigns for structured, repeatable assessments. This step-by-step format ensures consistency in key areas, while providing flexibility in the specific pretext and scenarios created. This customization helps ensure a successful, effective engagement.


1 – Information Gathering

While often neglected in many commercial services, information gathering is a critical phase and often determines the success of the rest of the social engineering campaign.

While many clients offer to provide basic employee data, we recommend starting with no information at all. This ‘black box’ approach better replicates the research process of live attacks and provides useful intelligence on the information which can be found online – value which is missed when that information is provided.

2 – Create Pretext Scenarios and Payloads

Once full enumeration of the client organization – and its employees – has been completed, focus turns to the pretext scenarios and payloads for the social engineers.

These details should answer the following questions:
Pretext scenarios – Which will raise interest / reduce concern?
Source information – Which domains/phone numbers are needed?
Validity – What else can be done to improve pretext legitimacy?
Payloads – What’s the target information/access to obtain?


3 – Engage Targets

Using the specified tactics and pretext, Outer Orbit’ assessors begin engaging specified employees with the appropriate emails or phone calls. For on-site assessments, a series of tests are started, including tailgating users and ‘baiting’ with USB drives left in parking lots or other common areas. For advanced engagements – which can incorporate social media or SMS to build rapport – the first of multiple interaction stages begins.

4 – Reporting and Debrief

After completing the campaign and aggregating test results, the social engineering report is written, outlining both an executive summary and specific engagement details. Remediation steps and training guidance is also providing, directing the client in resolving the training and policy issues identified.

Once the client’s team has reviewed the closeout report, a debrief meeting is scheduled, walking through the details and answering any questions.


5 – (Optional) Employee Education

As an optional addition to the standard assessment, Outer Orbit provides user training session for client employees. Whether hosted in a recorded online webinar or an in-house training session, provide quality security awareness training – by the same experts who performed the original engagement!


Related Services:


Network Penetration Testing


Mobile App Assessment


Secure Code Review