Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

Social engineering

A fatal flaw in cybersecurity

Managed services offers consistent testing for social engineering

A key way to protect critical infrastructure is with layered controls in front of sensitive assets. But these technical protections won’t matter if a bad actor still can gain access to one of the most sensitive assets of all: your users.

To help prevent social engineering or the method of gleaning information from your user base, you can introduce guardrails such as data loss prevention (DLP), proper network segmentation, and a robust identity and access management (IAM) infrastructure. Still, a determined attacker can exploit these controls, and some privileged users with access can natively subvert them.

To reduce risk, it’s wise to build your organization’s awareness of common social engineering attacks, while consistently testing for vulnerabilities:

  • Vishing. In this method of attack, short for “voice phishing,” a bad actor uses the phone to coerce a user to divulge sensitive information.
    Why test for it: Running your users through vishing scenarios can help them identify ways they might be approached over the phone. For example, hacker groups like Scattered Spider are known to call help desks, posing as legitimate users in an effort to steal documents and intellectual property.
  • Smishing. Short for “SMS phishing,” smishing is the sending of malicious text messages.
    Why test for it: Smishing scenarios are highly covert, may not appear malicious, and usually do not immediately seek sensitive information. Instead, hacker groups focus on building rapport with users before asking them to visit legitimate-looking websites, which are designed to steal mobile phone data such as subscriber identity module (SIM) information.
  • Physical breach: In this attack, a bad actor circumvents building controls, such as badge readers and man traps, to approach employees on an organization’s physical estate.
    Why test for it: Controls such as DLP, antivirus, IAM and network segmentation assume that attackers operate remotely. But if an attacker can physically walk up to someone, they immediately bypass these controls.  
  • Spear phishing. Referring to targeted social engineering, this method seeks to go after a specific user group, such as an IT administrator team. It can take the form of any of the methods described above.
    Why test for it: In addition to help desks, Scattered Spider commonly uses spear fishing to attack C-suite executives, administrative professionals, and even the family members of these groups. The typical mechanisms are tailored emails and chat messages, aiming to compromise single-sign-on credentials and security tools without using malware.

Attackers are constantly evolving their exploitative techniques, so even the most knowledgeable users are susceptible to social engineering. That’s why progressive companies are engaging managed services providers with cybersecurity capabilities that evolve at the pace of threats. The best providers offer consistent testing and education to help harden your user base against attack.

How KPMG can help

KPMG offers end-to-end security testing as an outcome-based managed service, helping you consistently validate controls while minimizing remediation efforts. That’s because business transformation is not a fixed destination; it’s an ongoing journey. With managed services, we help you continually evolve your business functions to keep up with ever-changing targets, while driving outcomes like cost reduction, resilience, and stakeholder trust. Learn more.

Meet our team

Image of Evan Rowell
Evan Rowell
Specialist Director, Market Development , Advisory, KPMG US
Read bio
Image of Evan Rowell
Evan Rowell
Specialist Director, Market Development , Advisory, KPMG US
Read bio

Subscribe to Going Beyond: Managed Services

See our latest thinking on how managed services can help you drive transformation at the speed of business.

Subscribe

Explore other services tailored to your business

Service
KPMG Managed Services
Read more
Service
Powered Evolution
Read more
Service
KPMG Managed Detection and Response
Read more

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline