Elliott Davis was asked: “We are concerned that our employees are susceptible to scams and may share critical company information or provide access to attackers. Can you complete a social engineering campaign to test our people?”
Context
- A developer, investor and owner of commercial properties throughout North America
- Wanted to test the baseline of the company's security awareness
Our Approach
- Received list of email and phone numbers of users/targets (White Box Approach) and leveraged several Open-Source Intelligence (OSINT) techniques to gain insight into individuals, including:
- LinkedIn to identify employee location, tenure, position and title
- FastPeopleSearch for aggregated content of employees and the company
- Dork Dump to find publicly accessible files on company’s website
- Created two campaigns or plausible pretexts
- Convince target to provide organizational password and PIN
- Convince target to provide password and MFA codes to log into Outlook account
Customer Impact
- Received detailed executive report of results from successful campaigns, including recommendations for remediation:
- 1. Awareness training to never provide personal or sensitive information via phone or disclose MFA codes
- 2. Implement procedures to validate and verify identification of callers/emailers
- 3. Improve reporting of suspicious activity to IT
- Implementing recommendations and improving overall security posture within the organization
We Can Help
For more information on how Elliott Davis can assist you and your business, contact a member of our team below.
The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.
“Elliott Davis" is the brand name under which Elliott Davis, LLC (doing business in North Carolina and D.C. as Elliott Davis, PLLC) and Elliott Davis Advisory, LLC and its subsidiary entities provide professional services. Elliott Davis, LLC and Elliott Davis Advisory, LLC and its subsidiary entities practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Elliott Davis, LLC is a licensed independent CPA firm that provides attest services to its customers. Elliott Davis Advisory, LLC and its subsidiary entities provide tax and business consulting services to their customers. Elliott Davis Advisory, LLC and its subsidiary entities are not licensed CPA firms. The entities falling under the Elliott Davis brand are each individual firms that are separate legal and independently owned entities and are not responsible or liable for the services and/or products provided by any other entity providing services and/or products under the Elliott Davis brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Elliott Davis, LLC and Elliott Davis Advisory, LLC.