Elliott Davis was asked: “We are concerned that our employees are susceptible to scams and may share critical company information or provide access to attackers. Can you complete a social engineering campaign to test our people?”
Context
- A developer, investor and owner of commercial properties throughout North America
- Wanted to test the baseline of the company's security awareness
Our Approach
- Received list of email and phone numbers of users/targets (White Box Approach) and leveraged several Open-Source Intelligence (OSINT) techniques to gain insight into individuals, including:
- LinkedIn to identify employee location, tenure, position and title
- FastPeopleSearch for aggregated content of employees and the company
- Dork Dump to find publicly accessible files on company’s website
- Created two campaigns or plausible pretexts
- Convince target to provide organizational password and PIN
- Convince target to provide password and MFA codes to log into Outlook account
Customer Impact
- Received detailed executive report of results from successful campaigns, including recommendations for remediation:
- 1. Awareness training to never provide personal or sensitive information via phone or disclose MFA codes
- 2. Implement procedures to validate and verify identification of callers/emailers
- 3. Improve reporting of suspicious activity to IT
- Implementing recommendations and improving overall security posture within the organization
We Can Help
For more information on how Elliott Davis can assist you and your business, contact a member of our team below.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
