Skip to main content

How Process Complexity Enables Social Engineering in Fortune 100 Companies

Across the board, Fortune 100 companies invest heavily in security controls. Yet we still see social engineering attacks plastered across the news on a weekly basis. Maybe your personal information has even been part of a breach in the past! Why does this keep happening if so much focus is placed on security?

That question, and how to protect your company from these attacks, are what we will discuss in this article.

Why Social Engineering Attacks Succeed in Fortune 100 Companies

Due to the way large enterprises are structured, there are many established processes to help things run smoothly. However, business realities often force deviations from those processes. Attackers know this and use these exceptions to their advantage.

In addition, these processes typically span multiple teams, which means ownership of many processes is fragmented. Many times, no single owner validates requests end-to-end. You may have experienced this when calling into your bank or healthcare institution. It isn’t uncommon to be transferred multiple times while making such calls. The reason why that happens is that their processes span more than one team, meaning they must transfer you according to their regulations.

Attackers exploit perceived prior approvals and handoffs, at times claiming they already received it from “someone else,” whether that is IT, HR, a manager, or anyone else with “authority.”

Urgency Overrides Skepticism in Complex Enterprise Environments

Along with exploiting established process gaps, attackers often rely on influence techniques. One such technique is using urgency. They will embed added time pressure into an already pressured system.

Many companies function in a way where employees are rewarded for speed and to not delay. While this makes sense on a surface level; at a more granular level, it presents potential security risks. Attackers may manufacture urgency in a situation that is tied to real business events, which creates a sense of legitimacy in their pretext.

For example, let’s say an attacker is able to gather information on an upcoming merger of two entities. Two separate companies, with two sets of complex policies, coming together is a huge shift for each, and creates many opportunities for attackers to wedge their way in. The attacker could call in and claim they have been transferred many times, drop a name or two (that they gathered from OSINT), and say they really need to complete X by Y time, due to the merge deadlines. While this may not seem enough to bypass processes, keep in mind that events, like this merge, combined with urgency and perceived legitimacy, can cause many security-minded people to give away information they normally wouldn’t.

How Process Complexity Enables Social Engineering in Fortune 100 Companies

How Attackers Exploit Process Knowledge and OSINT

While we have touched on this aspect of attackers’ preparation above, let’s look a little closer. Attackers often use OSINT to study their target’s organizational structure and terminology. This can be collected online or even by calling in and gathering a little information at a time. Maybe it’s a system name, or validation procedure, or even what kind of uniforms employees wear. This way, they are able to acclimate to their environment more and make it so that they don’t stand out quite so much. When it comes down to it, familiarity really does lower suspicion. If I think that I know you, or you work for the same company, our rapport immediately increases. Smart attackers know and use this knowledge.

Why Traditional Security Controls Fall Short Against Social Engineering

There are many more reasons than those we have covered, that explain why traditional controls fall short. At its baseline, though, one reason is that employees trust the established process once checks appear satisfied. The really successful attacks blend right into normal day-to-day operations. The technical security tools in place, while necessary and effective to an extent, validate steps, not intent.

Reducing Social Engineering Risk in Fortune 100 Organizations

For a more well-rounded security program, more is needed. Organizations, especially those heavily targeted, such as Fortune 100 companies, must implement more robust security measures. Social-Engineer, LLC helps organizations move beyond standard process checks and toward measurable risk reduction. Through realistic testing, targeted assessments, and behavior focused education, Social-Engineer, LLC helps Fortune 100 companies understand how employees respond under pressure, where human risk truly exists, and how to strengthen defenses before an incident exposes those weaknesses.

For more information on how we can help you protect your organization, reach out to us via our website, or look at the free resources we publish each month, to help you start on the path towards robust security controls.

Written by
Shelby Dacko
Human Risk Analyst, Social-Engineer, LLC

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now