Thread Options
#1546869 - 05/05/11 07:41 PM Social engineering testing in-house
FSBT Offline
100 Club
Joined: Apr 2002
Posts: 109
What are some ways that I, as internal auditor, can conduct social engineering testing? Our bank is a small bank with no branches.
Last edited by FSBT; 05/05/11 07:42 PM.
Return to Top
#1546886 - 05/05/11 07:50 PM Re: Social engineering testing in-house FSBT
califgirl Offline
Diamond Poster
Joined: Mar 2002
Posts: 2,355
The O.C., California
The first thing that comes to mind is to see if you can get an employee to give you their password.

"I'm the auditor and I need to test your password."
I can explain it to you. I can't understand it for you.

Return to Top
#1546924 - 05/05/11 08:14 PM Re: Social engineering testing in-house califgirl
Black & Gold Offline
Junior Member
Black & Gold
Joined: Aug 2008
Posts: 35
Dark Side of the Moon
A couple, hopefully, simple ideas.

Generate emails intended to lure individuals to a suspicious website designed for your specific engagement. For example, send a link to a sample of people to conduct a satisfaction survey. Use or something similar, by setting up an actual survey so you can see if employees actually respond. While this is a legitimate site, employees should know to be suspicious of hyperlinks in emails, particularly if employers have not notified employees of the upcoming survey.

Impersonation of people such as customers or vendors to gain information through telephone conversations with various personnel. For example, from an external phone, call various employees and impersonate a customer and try and obtain confidential information, or say you're a consultant working with IT and need to confirm certain settings on their computer (e.g. systems used, passwords to those systems, step them through finding the software version, service pack, and product ID information for key programs.

Also Google 'social engineering examples' and you'll be amazed at what you find. Have fun and good luck!
"Who would have thought that the thing that would save this company would be work. And pancakes." - Michael Scott-The Office

Return to Top
#1547017 - 05/05/11 09:56 PM Re: Social engineering testing in-house Black & Gold
HMS Pippii Offline
Diamond Poster
HMS Pippii
Joined: Apr 2003
Posts: 1,636
snorkeling in warm, clear wate...
We had our IT guys set up an email that went to all employees, purportedly from the HR Officer requesting that you fill out a form to update your personnel file. It also asked for your network log-in and user ID. Funny thing about filling out a random personnel form that appears legit - we had people that filled in their log-in and user ID and called after they hit the submit button to see why they needed to provide those piece of info. "Um, you don't. Ever."

Return to Top

Moderator:  Andy_Z