At SPI, we know that frequently the biggest security “holes” involve the human aspect of business – namely, employees knowingly or unknowingly divulging confidential employer information which could compromise the security of the client network and corporate environment. We have designed a two part strategy for our clients for Email and Onsite Social Engineering to investigate and correct this problem.

Email is a powerful social and business tool but one frequently abused/misused by employees. Many times the security breach is not malicious, but unintentionally done or carelessly done. Our intent is to email targeted personnel to attempt to get them to, through email contact, divulge bank information, customer information, etc. to our investigator. We work through several attempts, noting all actions and reactions of the targeted person, along with our line of inquiry and methods of inquiring sensitive information to them.

The remote Social Engineering engagement involves the manipulation of the organizations by telephone or email in an attempt to get employees to divulge user names, passwords, customer NPPI or other confidential information.

The remote engagement techniques typically include:

  • Pretext Calling
  • Phishing
  • Email Hoaxes

The remote engagement tests for the following vulnerabilities:

  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Privacy Filtering
  • Technical Preventive and Detective Controls

If the client has employee security training, we would study this to test the targeted employee to ascertain their level of understanding of security responsibilities regarding /customer/sensitive information when attempting to gain unauthorized information. Full details are documented of all steps taken during this set of attempts, which could occur over days or a few weeks, depending on the reaction of the employee to the attempts. All findings would be documented in our usual fashion with a written and electronic outbrief of the findings and security risks we see posed by the reaction of the employee.

Onsite Social Engineering:

The onsite engagement techniques typically include:

  • Dumpster diving
  • “Trusted Authority” disguises, such as fire inspectors, air condition repairman, pest control employee, etc.

The onsite engagement tests for the following vulnerabilities:

  • Proper Disposal of Sensitive Data
  • Privacy Policy Awareness and Implementation
  • Institution Policy Adherence
  • Violation Reporting
  • Access Privileges
  • Sensitive Area Security
  • Device/System Compromise

Please contact us at