Social engineering testing involves the attempted manipulation of an organization's employees into allowing unauthorized access to confidential information. This provides insight into how effective the organization's policies and procedures are at mitigating social engineering threats, how well the employees adhere to established policies and procedures, and the level of security awareness that exists among employees.

The Compliance Overview

Information security compliance regulations and guidelines (FDIC, FFIEC, GLBA, HIPAA, HITECH, NCUA, OCC, PCI DSS) require an organization to create an information security program designed to protect confidential information, including Non-Public Personal Information (NPPI). Failure of employees to follow the security policies and procedures of the organization is a major vulnerability to an information security program.

The TraceSecurity Solution

TraceSecurity is considered the top authority in social engineering testing. Our expert analysts have conducted hundreds of social engineering engagements for companies across a wide range of industries. We also provide a cloud-based solution to address all the necessary functions associated with security training and policy management.

TraceSecurity has designed test methods both onsite and remotely. When performed remotely, our experts employ tactics, such as pretext calling, phishing and email hoaxes, that attempt to get employees to divulge user names, passwords, customer NPPI or other confidential information.

Onsite test services include:

  • Pre-engagement setup with client (includes project planning, scope, defining rules of engagement, information gathering)
  • Spoof emailing (if applicable)
  • Onsite testing for:
    • Employee security and privacy policy awareness and adherence
    • Proper disposal of sensitive data
    • Access privileges
    • Sensitive area security
    • Device/system compromise
    • Technical preventive and detective controls
    • Violation reporting
  • Present preliminary findings to client core team through exit interview

Remote test services include:

  • Pre-engagement setup with client (includes project planning, scope, defining rules of engagement, information gathering)
  • Remote social engineering (dependent on the scope)
  • Computer-based testing through email spoofing and phishing simulation
  • Phone-based – pretext call testing (dependent on the scope)

Test results (for both on-site and remote engagements) are provided in an extensive report containing:

  • Project overview
  • Social engineering test methodology
  • Executive summary
  • Business and technical risks and recommendations
  • Details and exposure of vulnerabilities
  • Recommendations and counter measures
  • Appendix examples

Options (for both on-site and remote engagements):

  • On-demand generation of reports for audit, board and technical staff
  • Training material provided in an extensive recorded 'Flash' module
  • Automated learning management system and training management (includes access to security awareness training content)


Contact us for a FREE Consultation 


Learn how you can save money and delivery time by bundling an IT security assessment, a social engineering engagement and penetration testing. Click here.