Skip to main content


A Guide to Performing Internal Social Engineering Testing

Social engineering can be defined as the art of exploiting the human in order to gain access to a network, system, or valuable information. Social engineering comes in many different forms: it can be performed via email, over the phone, or even in person. The different varieties of social engineering used by scammers can make training employees effectively a difficult task.

To protect the business from these types of threats, organizations need to make sure their employees are properly trained in identifying and preventing a social engineering attack. Training is a great way to inform employees on the policy implemented by the organization and also go through some of the new and common social engineering methods that are being used every day against all types of people.

Unfortunately, providing employees with regular training does not necessarily mean that employees are properly equipped to identify or mitigate a social engineering attack by the end of the training. You can tell an employee not to plug unknown devices into their workstation, but who’s to say a USB drive with an interesting label doesn’t overwhelm their curiosity?

So how do we really ensure our employees are knowledgeable enough to identify and mitigate a social engineering attack? The quick and easy answer is to test your people.


Testing Your Employees

While there are ways to make your training more impactful, such as shifting from simply focusing on employee do’s-and-don’ts to discussing the impact of their actions. The only real way to ensure your training is working is to actually put your employees to the test. 

Social engineering testing allows you to see where your employees are weakest, while simultaneously giving them the opportunity to get real-life experience with threats such as phishing emails or pretext phone calls. The testing results will clearly show management where their greatest human weakness lies and what needs to be the focus of additional training.

The issue with social engineering testing is that it can get expensive to have a company perform employee testing regularly throughout the year. However, testing more than once a year is certainly proven to be a beneficial way to keep employees alert and hold them responsible for their actions. Since hiring regular testing throughout the year is not an option for everyone, let’s go through some options for performing your own internal social engineering testing to bridge the gap between those annual third-party performed tests.


Option #1 – Dumpster Diving

Trash Can With PaperPerhaps the easiest, yet least appealing test to perform may be a good place to start. Dumpster diving is a test that takes very few resources and little time yet can be a great way to test employee compliance to sanitation and disposal guidelines.

All that needs to be done to perform your own dumpster diving test is to go around the building and gather trash at all or select locations. Don’t worry; you do not have to wait for it to end up in the dumpster outside to achieve the desired result. Grabbing trash before it makes it to the dumpster can also be a good way to mark where each bag came from, giving management the opportunity to have one-on-one follow up training with non-compliant employees.

Remember, if it’s in the trash outside, anyone can get to it. That includes employees, competitors, potential attackers, or even the local news crew looking for a story (we’ve seen this happen).

Items to look for will include anything breaking sanitation requirements. Examples may include:

  • Hand-shredded Checks
  • Hard Drives
  • Credentials
  • Social Security Numbers
  • Customer Information
  • USB Drives
  • Confidential Internal Information


Option #2 – Pretext Phone Calls

Business Man Making Phone CallPretext phone calling is another option that can be used to test employees, specifically regarding how good your employees are about protecting information while on the phone. This type of testing might take a little more preparation than dumpster diving, but it can still be a surprisingly easy test to build out.

First, start by gathering relevant information. Since this is an internal test, you will likely have more information on hand than a typical third party performing the test, including direct phone numbers, names, and job titles. However, to add a little realism into the test, you can use the information you are able to find on the internet through some simple searching.

For example, if you are testing employees to see if they are giving out customer information without properly confirming their identity, look up some public information on an existing customer. See what is available online and use that information to try and convince employees to hand over some bank account information for that customer. Gathering publicly-available information is important for the follow-up conversation you have with employees that fail the test. Showing employees how easy it was to find the information that was used can have a significant impact on how they handle future interactions with callers.

The next step is to build your story, which is the “pretext” part of a pretext phone call. The pretext is essentially your script. You do not have to have a word-for-word conversation prepared, but you do want to have your (or rather, the impersonator’s) story down ahead of time to convince the employee to give out information while ignoring the correct procedure. You want your explanation to be natural. Also, make sure to note your goals before you begin the pretext. Have the information you’re are aiming to receive figured out, but if everything is going smoothly (from your end), you can always try to escalate to get more information if the target is willing. Treat the test as a bad guy would and see what information you can get.

Finally, fine tune your approach. A common method for social engineers to incorporate in their phone call is a spoofed phone number. You do not want improper area codes, phone numbers, or even your name and personal cell number popping up when impersonating a person or company. Employing a phone number spoofing application, website, or service may be crucial to the success of your test. The good news is that spoofing services are not difficult to find. They are littered throughout the app store for any make of smartphone, and there are also spoofing tools available for your computer. Simply search your app store of choice or do an internet search for “caller ID spoof” or “phone spoofing.” Some of these tools even have built-in voice changers, which can be especially beneficial for smaller organizations, as employees would be more likely to recognize the tester’s voice during a call. A few popular spoofing tools include Spoofcard, Spooftel or Spoof My Phone, but be sure to do a bit of research on any tool you use or app you download. Some social engineering or “hacker” tools may not be reputable or might include some unwanted features, like malware or data collection.

Note that as you perform your own calls using the steps highlighted above, it may not seem natural at the start. Perfection is not necessary at the beginning. Practice makes perfect, and the more you perform these types of tests, the better you will get. And remember, the goal is to TEST your employees, not trick them. You want to allow your employees the ability to succeed and learn while also continuing to increase the difficulty of the test.


Option #3 – Phishing Emails

Mouse ClickThe third option may not be the easiest option to build out yourself, but it’s probably the most important aspect of testing. Phishing is by far the most common and successful form of social engineering, which means it’s also the most dangerous for businesses. The good news here is that because of its widespread impact, we have more options than any other type of social engineering to help us with testing.

There are inexpensive business tools made available by companies such as KnowBe4 to help you perform your own phishing tests using templated or customized emails, while also having additional training available created by experts in the field. Adding in some automation really helps you with phishing as it is incredibly beneficial for employees to see these tests regularly. Using tools such as KnowBe4’s phishing tool can allow you to send these out as often as you would like with very little administrative work. Not to mention the added value of additional training material, which is incredibly useful for follow up training.

In addition to KnowBe4, there are a number of other tools to consider when looking to perform your own phishing tests:


The Follow-up Is The Most Important Step

It is important to remember that there will inevitably be failures when testing employees. This is why social engineering testing is so useful – it allows your organization to identify weaknesses and plan to make improvements. Follow-up discussions with employees - those that passed and those that fail - is perhaps the most important part of your testing.

The key to your follow-up is to make sure employees know what they could have done better and encourage questions. As mentioned above, the goal of social engineering testing is to help your employees improve your defenses, not to trick them or scare them into submission. Scaring employees into hiding failures is a way to miss actual attacks or mistakes, whether it’s a suspicious attachment that was downloaded or a suspicious link that was clicked. If employees are afraid to say something, the attachment they downloaded and opened could lead to your entire network being breached simply because it was not reported, and you did not have the opportunity to respond.

There’s a fine line between scaring employees and holding them accountable, however. Holding employees accountable is something that is absolutely necessary. You do not want to put the business and its customers at risk simply because someone does not care or could not be bothered to pay attention during training. For some ideas on how to hold your employees accountable for social engineering test results without scaring them into hiding their mistakes, check out our previous article on Accountability.

Make sure you focus your testing on helping employees learn and provide them with the tools to improve. Your employees can be your greatest weakness or a strong first-line-of-defense. If you equip them properly, you will be surprised by how dedicated to the task they can actually be.


Written by: Cole Ponto
Information Security Consultant - SBS CyberSecurity, LLC

SBS Resources:

  • {Service} Social Engineering: Social engineering is the simplest and most common way that cybercriminals gain access to confidential information. Hackers know it is much easier to convince a human to break the security rules they are asked to follow than it is a programmed firewall. The goal of Social Engineering testing is to train and educate employees to be the first line of defense.
  • {Cyber Byte Video} Understanding the Impact of a Cyber Attack: A common misconception is that small businesses have a lower risk of being the target of a cyber attack than that of large corporations. In reality, according to the 2018 Verizon Data Breach Investigations Report 58% of malware attack victims are categorized as small businesses, making them the largest target for cybercriminals. This video will cover how modifying employee security awareness training to include an understanding of exactly how one click can drastically impact a small business will help enforce training and increase effectiveness. Watch Video
  • {Blog} Holding Your Employees Accountable: If you believe that People are your greatest security weakness then you, likely, test employees on a regular basis to spot phishing emails, follow proper protocols when “vendors” show up at the door unexpectedly, or keep confidential information safe. What steps are taken after an employee fails?  Read More


Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.

Certified Banking Business Security Manager 

Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Wednesday, March 13, 2019
Categories: Blog