Social engineering refers to a method used by attackers to manipulate individuals or exploit human behavior to gain unauthorized access to systems, networks, or sensitive information. It involves tricking or deceiving individuals into taking actions that compromise security measures or disclose confidential data.

Social engineering techniques can take various forms, including impersonation, phishing emails, pretexting, baiting, or eliciting sensitive information through phone calls or online interactions. Attackers may use psychological manipulation, social dynamics, and persuasive tactics to exploit human vulnerabilities and bypass technical security controls.

Within the framework of Security Ratings, social engineering is considered a risk factor that impacts an organization's overall security posture. It evaluates the organization's awareness of social engineering threats and the effectiveness of its measures to mitigate such risks.

By incorporating social engineering as a risk factor in Security Ratings, organizations can gain insights into their vulnerabilities related to human manipulation and better understand the effectiveness of their security measures against social engineering attacks. This enables them to identify areas for improvement and enhance their overall security posture.

ThreatNG Security Ratings supported by external attack surface analysis and digital risk protection capabilities, including Domain Intelligence, Dark Web Presence, and Sentiment and Financials discovery, provide enhanced fidelity, validity, and insight into Social Engineering susceptibility by considering factors related to Business Email Compromise (BEC) and phishing susceptibility.

BEC & Phishing Susceptibility: ThreatNG Security Ratings assess the organization's susceptibility to BEC and phishing attacks. These attacks often involve social engineering techniques, where attackers manipulate individuals to disclose sensitive information or perform unauthorized actions. By evaluating the organization's awareness of BEC and phishing threats and the effectiveness of their security measures, the rating system provides insights into the organization's susceptibility to social engineering attacks.

External Attack Surface Analysis: The rating system analyzes the organization's external attack surface, including domains, IP addresses, subdomains, and associated infrastructure. This helps identify potential entry points for attackers, such as phishing landing pages or spoofed email domains. By considering these factors, ThreatNG Security Ratings assess the organization's exposure to social engineering attacks from external sources.

Domain Intelligence and Dark Web Presence: ThreatNG Security Ratings leverage domain intelligence capabilities to gather insights about the organization's domain names, WHOIS information, historical records, SSL certificates, and other relevant data. This analysis includes monitoring the organization's presence on the dark web, where attackers often exchange or sell stolen credentials and information. By assessing the organization's domain intelligence and dark web presence, the rating system identifies potential risks related to social engineering attacks.

Sentiment and Financials Discovery: ThreatNG Security Ratings may include sentiment analysis and financial data discovery. This involves monitoring online sentiment, assessing public sentiment toward the organization, and analyzing publicly available financial information. By considering these factors, the rating system identifies potential indicators of social engineering attacks, such as negative sentiment or financial distress, that could make the organization more susceptible to manipulation.

By integrating external attack surface analysis, domain intelligence, dark web presence assessment, and sentiment and financial discovery, ThreatNG Security Ratings comprehensively evaluate an organization's Social Engineering score. This approach enhances the fidelity and validity of the score by considering multiple factors contributing to the organization's susceptibility to BEC and phishing attacks, ultimately providing valuable insights to enhance its security posture.