Social Engineering

Phishing is a quite old, sensitive information stealing attack, including usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Typically carried out by email spoofing, instant messaging or even voice call phishing (vishing), it often directs users to enter personal information at a fake website which matches the look and feel of the legitimate site. Phishing is an example of social engineering techniques being used to deceive users. When used in a wider attack context such as a Red Team attack, it may prove very useful for the attacker.

SpearIT offers a phishing assessment service for your technical/security team or other organizational divisions, always ensuring that both executive, mid-level and technical departments gain usefull insights. Our risk-based reporting is integrated in every of our service portfolio deliverables.


1. Scoping

During this phase, an operational environment is discussed and established with the help of written/verbal communication & scoping questionnaires, defining:

  • Organizational cybersecurity-needs
  • Which employees/departments of the organization shall be targeted and which are exluded
  • Allowed types of attacks (client-side exploitation, clickjacking, information stealing)
  • Testing period and timezones
  • Means of communication


2. Information Gathering

Passive OSINT (Open Source Intelligence) techniques are used in conmbination with neutral observation actions in order to collect as much information as possible regarding the targets to be tested. The more the information, the most attack vectors can be crafted. The intelligence gathered can be of the following types:

  • Leaked document and other file types by various search engines
  • Leaked user accounts, emails
  • Forum posts
  • Social media posts
  • Relation with other companies/partners/providers

3. Payload Crafting

Based on the information gained from the previous steps, the phishing payload are crafted, targeting specific employees, combining real facts reagrding each target, in order to be as realistic as possible. The payload, apart from the social content, includes a type of attack, such as client-side exploits, clickjacking, cookie stealing or other stealing attack.



4. Attack

The actual engagement starts here, with carefully crafted emails & landing pages, either prompting the user to click a link or exploiting a client-side vulnerability via JavaScript, macro or other type of attachment.

5. Reporting

When the phishing campaing completes, a risk-based report is generated including an executive and technical report, success ratio and mitigation recommendations.



6. Awareness Training

SpearIT can additionally offer training services for your personnel, in order to establish or maximize the already established security awareness withing the team. The training can either target specific employees/departments or be offered in a more systematic way to your internal compliance officer/security department in order to integrate awareness to your company's security policy.

Want to know whether your employees are aware of social engineering threats?

Find Out!