Skip to main content
Security Assessment

Assess Your Risks

By January 22, 2019August 23rd, 2025No Comments

We talk a lot about phishing, vishing, smishing, and impersonation here at SECOM, and there is a good reason for that. Those are the primary services we provide as a company for our clients. Not all clients use all of our services, and some companies don’t use any of our services for a multitude of reasons. Maybe they use another company to test these attack vectors, maybe they use an internal team, some don’t test them at all. Regardless of your company’s choice, it is important, at a minimum, to have an understanding of and assess your company’s risks when it comes to social engineering attack vectors. 

Assess Your Risks

How Do We Assess Client Risks?

One aspect is common to all our services and that is open-source intelligence (OSINT) gathering. We perform this task as the first step in any engagement to get a clear picture of our possible targets and how to attack them in a way to really test their resilience to SE tactics.  

Although we use OSINT as part of every engagement, we also offer just OSINT projects in a product we call the Social Engineering Risk Assessment (SERA). In these projects, we spend a notable amount of time researching selected targets and produce a detailed report of the information we were able to find in the time that was allowed. It is often enlightening to top executives of large companies on the amount of information that is publicly accessible if an attacker decided to target them.  

We comb through social media, various forms of public records, friends, family, vehicle, and real-estate details. The scope of these assessments is to gather any and all data available in the time allowed for our testing. 

Depending on the client’s desire, we can even leverage the discovered information in a very specific and personalized simulated attack, to test the targeted user’s resilience to phishing or vishing attacks by a determined attacker. This is how we assess a company’s risks for their selected targets. 

Who Should Get These Assessments

CxO’s should not be left out of security testing, either due to the sensitive nature of their work or to prevent the risk of embarrassment if they fall victim to an attack. A true picture of a company’s risk cannot be evaluated without testing these high-value users, since they are often targeted by real attackers due to the access they have and the roles they play in a company.  

Additionally, any user of high value in your company could gain value from SERA-like engagements. IT staff, accounting, human resources. All of these users have access to vast amounts of valuable data from an attacker’s perspective.  

Once you know what information is out there and available, when an attacker tries to use this information, the targets will already have an idea that anyone can know this information. Since using personal information, or commonly shared jargon among friends tends to build rapport quickly, just knowing that anyone can see that information is another layer of critical thinking that may prevent a data breach.  

So, whether you test your users yourself, have a whole team, or use an external company, it is vitally important to know what’s out there and assess your risks as a company. You can’t protect what you don’t know about, so learn everything you can, any way you can, and be that much more secure. 

If you are interested in learning how to perform SERA-like assessments yourself, we also offer training on the subject. 

Sources:
https://www.social-engineer.com/social-engineering-risk-assessments-sera/
https://www.cio.com/article/3247428/security/safeguarding-your-biggest-cybersecurity-target-executives.html
https://www.social-engineer.com/training/practical-open-source-intelligence-for-everyday-social-engineers/
Image: https://i-sight.com/resources/101-osint-resources-for-investigators/ 

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now