Social engineering is the art of working methodically with people. We use this art to prepare you for possible social engineering attacks, which can take place through various mediums and forms. Therefore, our services in this field are just as diverse.
The common feature of these assessments is to be in detailed agreement with the goals and non-goals, as well as constraints of the assessment for the protection of the employees. Since these tests are designed to find new security breaches, a definite non-goal is to attach possible wrongdoing during the assessments to individuals. We are strongly opposed to negative consequences for individuals coined from an assessment. Therefore, we censor content and imagery as much as possible and are in support of a transparent and fair review of the results.
A good starting point for the project planning is already existing training material of your company. Building on these we can design the assessments according to realistic current threats and incorporate your instructional material to foster awareness.
Targeted Phishing Assessments
For this assessment we develop scenarios which are based on risk trends and your personal requirements to get the most out of training your personnel.
This can include general texts or e-mails tailored to your company or groups of individuals within your company (spear phishing). Depending on the requirements the e-mails will include links and/or attachments with code prepared by us. Every assessment is unique and custom-fitted to your induvial needs.
Testing Technical Phishing Protection Measures
In this assessment we challenge your technical protection measures to see if they provide adequate protection against phishing e-mails. We thoroughly test your spam filter, antivirus solutions on the e-mail gateways and clients, endpoint protection software as well as data leakage prevention software.
Voice Phishing Assessments
With the rise of faked telephone calls to convince people to give out information or install malware, it is important to prepare employees for such attacks. We train your employees with fake caller IDs, fake phone numbers and AI-generated voice imitation for such attack scenarios.
CEO Fraud Simulations
CEO fraud describes attacks which target employees by impersonating management personnel and pressuring them into transferring money onto unknown bank accounts. Depending on your means of communications this simulation includes several social engineering tactics and mediums, like e-mail, WhatsApp, MS Teams or phone calls.
USB or Media Dropping
USB devices and even USB cables can contain malware. With this assessment we train your employees’ reaction to unaccounted devices or mediums, such as CDs or USB sticks, and help them understand the dangers of such finds.
Mystery Guest / Physical Awareness Engagements
As so-called mystery guest we visit your company and will try to reach the goals agreed upon with you, like getting access to internal information or IT systems without using specific hacking or physical attacks. The focus lays on social engineering and the security awareness of the employees, especially towards external people. During the assessment we will become more noticeable over time until we are discovered. This allows for an insight on the measurements which are already well implemented and internalised by the employees and offers a positive learning effect for everyone involved at the end.
We were very happy to visit DEFCON in Las Vegas, NV, USA in August 2023 for the first time! DEFCON is an annual event which attracts up 30,000 attendees interested in the fields of Physical Secur...
Our team has grown and we are happy to welcome three new employees to our pentesting team. With their help, it is easier for us to respond to the many project requests we’ve had and we hope to be able...
Treasury on Tour is an event by Schwabe, Ley & Greiner to bring together the leading heads of treasury with high-grade lectures, discussions and the possibility to network. HACKNER Security Intell...
To gain access to the internal network in a social engineering assessment, we first had to gain access to the company building. So we developed the following scenario and realized it:
An employee of ours, dressed up in suit and tie, waited for their cue word in front of the company building. A second employee, out of sight, called the front desk with a faked supervisor number: "The supervisor has a very important meeting but the customer is late. When the customer arrives, they need to be let through as quickly as possible."
The first employee of ours now ran stressed to the front desk, had no need to say much more and was allowed to pass without a control. The result: Free movement within the building!
The starting point with this project was access to an office building. Despite existing security measures, it was possible to obtain public information online about the company's dress code and ID card design.
By adjusting the clothing style and creating similar ID cards, tailgating was possible without problems. After entering, the testers were able to move around the entire building undisturbed, where they found unsecured network ports and ID cards.