some suggestions on Social Engrg tests

Posted on 2016-08-16
Medium Priority
Last Modified: 2016-08-17
Need some suggestions on some SOcial Engineering tests, esp ones for banking environment
Question by:sunhux
LVL 37

Assisted Solution

bbao earned 1000 total points
ID: 41757750
basically for banking environment a social engineering test is intended to manipulate bank staff into allowing unauthorised access to confidential information including customer profiles and transactions as well as business secrets of the bank. this aims to test the bank's security policy and their staffs adherence to that policy.

therefore some key points for the testers:

1. obtain the authorisation in writing from the management before doing anything.

2. make sure no bank staff (except the management) acknowledges the test. it should be a pure blind test, in order to check the actual conduct of bank staff and their procedures in use.

3. have a good understanding about the bank's business model, team structure, people and culture. this is very important for onsite and remote employee impersonation.

4. have well predefined scenarios and stories to make sound excuses or exceptions to bypass the bank's policy.

5. cover both onsite and remote engagement tests. be aware remote tests can be via phone calls, email phishing and third-parties.

6. details matter. make sure every little thing looks like real though probably everything is fake, from accent to uniform and from email wording to story telling.
LVL 66

Accepted Solution

btan earned 1000 total points
ID: 41758003
For banking specific, should have test on phished email revolving the context on
- Beware of Ransomware telling to install AV or special helpdesk service or mobile apps  
- Detecting Transaction Fraud such as increase limit or adhoc transfer from personal account,
- Identify CEO Fraud on authorisation,
- Identify HR or Finance Urgent Fund transfer,
- Reveal Red flag on online pay scheme like paypal asking account changes
-Verify Sensitive information for relogin to confirm of transfer originate from true source
- Verify Mobile PIN received on smartphone or token in web page link

Cjheck out more templates - https://blog.knowbe4.com/new-knowbe4-phishing-templates-a-summary-7/30/2016

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The article explains the process to deploy a Self-Service password reset portal I developed a few years ago. Hopefully, it will prove useful to someone.  Any comments, bug reports etc. are welcome...
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
The goal of the tutorial is to teach the user how to make an account for Skype and brief over view of all the options. There are three parts in this series.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question