Social Engineering

Evaluate the human element in data protection

Next Steps:


The term “social engineering” has been used for years by hackers to describe the technique of using persuasion or deception to gain access to information systems. Such access is typically implemented through human conversation or other interaction. The medium of choice is usually the telephone, but it can also be communicated via an email message, a television commercial, or countless other mediums for provoking human reaction. Consider a floppy drive or CD labeled “Payroll” and left in a hallway or restroom within an organization. On the media is malicious code. Would anyone in the organization insert this media into their computer and access the contents?

Foundstone performs the type of social engineering most appropriate for your organization. Our methodology mirrors our approach to security assessments. We begin with target identification and information gathering, followed by exploitation attempts. We systematically apply these principles in a customized approach that depends on the objectives of the particular situation.

Key Benefits

  • Identifies weaknesses within the organization
    Foundstone takes a customized approach to the security assessment methodology.
  • Measures the effectiveness of your security awareness programs
    Are your users security aware and focused on protecting your organization’s IT assets?
  • Get next step recommendations
    Deliverables include a Social Engineering Technical Report, an Executive Summary, and a half-day workshop with a Social Engineering Presentation.


We work closely with our client to define the test scenarios. The test scenarios are tailored to specific policies and processes within their organization. Some organizations may have incident response procedures in place to report suspicious phone calls. Foundstone can test these procedures by making obvious attempts at gaining confidential information without proper authorization. This is an excellent way to test the effectiveness of a security awareness training program or lay the foundation for creating such an awareness program.

Three common attack vectors identified include:

  • Phone calls to individuals within the organization. This will normally include the help desk and specific individuals that are identified as critical company personnel.
  • Carefully crafted phishing emails, targeting specific groups or individuals that attempt to coax information from the recipient.
  • A floppy drive or CD with malicious code and an enticing label, such as “Payroll” or “Quarter-end Preliminary Results,” that is left in a hallway or restroom in specifically targeted locations.

Regardless of what type of social engineering testing is performed, upon completion we will provide a detailed report about the policies tested and the results of each attempted breach.