Social Engineering Penetration Testing

It is generally acknowledged that that employees represent your greatest information and cyber security risk.  Many data breaches are internal rather than external and are caused by employees who have been negligent, careless, or unaware of security policies and Internet-related threats.  One of the biggest threats are social engineering and phishing attacks, i.e., fraudulent attempts by malicious hackers to get users to divulge sensitive information or click on links etc.  Naturally, the potential impact to the organisation of users clicking on unknown links and providing confidential information could be extremely damaging.  In order to establish how susceptible users are to responding to such risks, URM is able to simulate a targeted social engineering attack.  

URM has developed an effective methodology aimed at determining and measuring user awareness and vigilance to phishing attempts and processing of incoming third-party emails.  Working closely with sponsors from your organisation, we will develop micro websites and a campaign of orchestrated emails aimed at inducing users to open the email, click on a link and provide sensitive information e.g., passwords.  When developing the micro websites and emails, URM is highly proficient at imitating the intended email/website and evolving and modifying the campaign as users begin to interact with the emails, looking to exploit a range of human emotions, e.g., fear, greed, urgency, helpfulness and curiosity.  

At the end of the exercise, through the use of our tracking software, we are able to report back on the number of users who potentially exposed the organisation to the risk of a data breach or to malicious software.  Once completed, the results of the exercise can then form a very powerful component of any staff awareness programme. By referring to the actions of personnel from the actual organisation, cyber risk is no longer an abstract term but something users can practically relate to.  Having been involved in numerous social engineering campaigns, URM has found such exercises to be effective in not just raising awareness but in changing behaviour.

Why URM?

Tailored Solutions

Every social networking exercise URM conducts is totally tailored to your organisation.  Working with sponsors, we will aim to understand particular concerns, threats or issues and develop fully customised campaigns.  In terms of recipients of emails, this can again be the whole organisation or specific functions or departments.  In addition to cyber-related exercises, URM is also able to develop physical and telephone-based social engineering exercises, e.g., imitating members of the IT Department and asking users to reveal confidential information.

Getting the Balance Right

Getting the balance right is absolutely central to the success of any social engineering campaign.  For example, when coming up with microsites and emails in a phishing exercise, it is important to produce something which has a similar look and feel whilst including a number of ‘give away’ discrepancies (e.g., domain names, spelling errors) that should be picked up the users.  URM is highly skilled at achieving the optimum balance in this respect.

URM is also conscious of the need to develop effective and challenging exercises but at a reasonable cost and working to a specific budget.

Data Protection Considerations for Artificial Intelligence (AI)

Latest update:
12 Apr

URM’s blog discusses the data protection considerations for utilising AI technologies, and how organisations can stay GDPR compliant in their use of AI.

Read more
Thumbnail of the Blog Illustration
Business Continuity
How to Develop a Robust Business Continuity Plan

URM’s blog discusses the key steps to take in order to develop robust and effective business continuity plans which will enable you to recover from disruption.

Read more
Thumbnail of the Blog Illustration
Cyber Essentials
I’ve Got my Cyber Essentials - Now What?

URM’s blog discusses the best next steps your organisation can take following Cyber Essentials certification to further enhance its security posture.

Read more
Thumbnail of the Blog Illustration
Data Protection
The Data Protection and Digital Information Bill No.2

URM’s blog discusses the Data Protection and Digital Information (DPDI) Bill, how it will diverge from the current GDPR, and the impact it may have when passed.

Read more
URM's diligence during these audits has resulted in the business as a whole pulling together to collectively ensure that we up to par with the requirements. While our working relationship with URM’s consultant is fantastic, we are held to account for every bullet point of every requirement on every audit, which is precisely what we expect. The consultant’s efforts in ensuring that our PCI compliance is audited correctly is highly appreciated, as it gives the company an accreditation that we can be proud of and that we can show off to existing and prospective customers as proof of our security posture. A huge thank you to URM for providing such a valuable service.
Open Banking Platform
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.