Social Engineering & Phishing Simulation | wizlynx group Switzerland

Human are the weakest link in the security chain. They are facing threats on a daily basis from phishing emails, to social engineering calls and very often, have little or no knowledge that would help them identify the danger.

No matter which technical and physical security controls you have implemented, the security of your infrastructure and network comes down the ability of your employees, contractors or vendors to recognize such attacks, and not fall for such traps.

Hackers know these alarming facts, which is why humans are their first target. Cybercriminals use sophisticated social engineering techniques to persuade and manipulate people to gain access to your internal networks and sensitive information.

Assessing your employees’ readiness to identify and withstand Social Engineering attacks should be a key part of your organization’s security program.

Our services rely on highly skilled security professionals and penetration testers with extensive experience, in both defense and offense, to create realistic phishing simulations. The goal of our service is not only to assess your employees’ readiness to withstand common phishing attacks, but more importantly, target and spear-phish attacks that have a high impact on your organization. wizlynx group presents Phishlynx, an in-house developed solution to assist us during Social Engineering Assessments to create customer tailored phishing simulations.

Our Social Engineering Assessment Services

Email Phishing with Website Mirroring

Consists of sending a phishing email with the attempt to fool your users in providing sensitive information, such as username and password on a mirrored website which look extremely similar as the real website.

Email Phishing with Attachments

Consists of sending a phishing email with the attempt to fool your users in opening an attachment (e.g. XLS file) and enable VB Macro.

Email Phishing with Hyperlinks

Consists of sending a phishing email with the attempt to fool your users to click on a link.

Email Phishing with File Download

Consists of sending a phishing email with the attempt to fool users in downloading and executing potentially malicious files from a web page.

USB Drop

Consists of leaving your USB keys containing files in strategic places, such as meeting rooms, toilets, parking lots, etc. in the attempt to trick users to connect the USB drive and opening potentially malicious files.

Voice Phishing (Vishing)

Consists of using social engineering techniques over the phone to trick your users into providing sensitive information such as username, password, access to the victim’s computer, etc.

Staff Impersonation & Physical Security Controls

Consists of various attempts to gain access to specific locations, unauthorized physical network access, baiting, tailgating, dumpster diving, USB drops, etc.

Our Social Engineering Methodology

wizlynx group Social Engineering Assessment is usually executed in three phases:

Reconnaissance & Planning

Threat analysis and definition of audit objectives
Target reconnaissance
Creation of the script and time plan
Preparation of the attacking plaform

Execution

Email phishing attacks
Vishing attacks
USB key drop attack
Evaluation and interpretation

Reporting

Overall evaluation and documentation of results, including detailed statistics
Risk assessment
Report preparation & recommendations
Debriefing

Reconnaissance & Planning

The following tasks will be carried out during the reconnaissance and planning phase:

Compilation of the attack scripts, detail planning and review of the attack method
Selection of information and access type to be acquired (e.g. employee id, login/password, access to HR system, etc.)
Definition of scope, target, go/no-go tasks and zone
Selection of customer’s employees that will be targeted
Reconnaissance of information about organization, people, gossip, weaknesses, internal problems, profiling victims, etc.
Preparation of the attacking platform and tools (e.g. registering domains, mirroring websites, tracking scripts to generate statistics, attachments, fake malwares, etc.)

Execution

This central phase consists of the effective execution of test that are defined upfront and agreed to.

If wizlynx group discovers serious gaps and weaknesses, the customer will be informed immediately so that any emergency measures can be implemented in a safe and timely manner.

Results Analysis & Reporting

The following tasks will be executed in this phase:

Overall evaluation and documentation of results that include all employees disclosing sensitive information and granting access
Review and quality check
Preparation of the report with evaluation and recommendations

Weaknesses and significant risks to Information Security (the "human factor") will be interpreted, evaluated and judged.

All findings will be documented in the final report and compared with a strengths/weaknesses profile against the international standard for IT Security ISO 27001. The identified weaknesses will be assessed and supplemented with recommendations and remediation actions, as well as prioritized according to the risk associated. The final report will be discussed during a presentation with the customer. The report will include a comprehensive and meaningful C-level summary of the executed Social Engineering Assessment. It will also include all detailed results with respective evidence and recommendations for future security measures based on the results.

Realistic Phishing Simulation

At wizlynx group, our security research team works around the clock to enrich our social engineering assessments and phishing simulation services with the newest scenarios. We leverage our cyber threat intelligence services, as well as our Security Operations Center (SOC), which analyzes and monitors millions of emails, URLs, files, and other data points each day for the latest threats.

Leveraging the same techniques as cyber criminals, such as the use of typosquatting domains, URL shortening, and mirrored versions of your website we target your organization with tailored spear-phishing simulations.