Cyber & Information Risk Management

Request

The service was requested by a fintech company providing identity verification and anti-fraud solutions to over 300K B2B clients across the U.S. and the EU. The goal was to perform a digital risk assessment regarding team security awareness and internal processes.

What We Did

We examined the company for technical vulnerabilities, including exposed subdomains and publicly accessibleinternal data. Using HUMINT methods, Molfar specialists conducted social engineering tests by posing as authority representatives to request sensitive information from employees.

Key Findings

• Identified critical weaknesses in internal systems and network configurations.
• Pinpointed specific employees who violated cybersecurity protocols during simulations.
• Uncovered gaps in phishing threat awareness across the organisation.

Outcome

The client used the findings as a documented basis to optimize internal networks and improve staff training.These actions directly prevented potential data leaks and strengthened the company's defense against real-world cyberattacks.

Request

A regulatory technology firm delivering compliance automation and KYC solutions to financial institutions across North America and Western Europe sought an independent assessment of its internal security posture. Given that the company handles sensitive client data for over 200K institutional users, identifying exploitable vulnerabilities before adversarial actors could was a business-critical priority.

What We Did

Molfar conducted a comprehensive digital risk and human vulnerability assessment combining open-source technical reconnaissance with active HUMINT-based social engineering simulations. On the technical side, analysts mapped exposed infrastructure, including misconfigured subdomains, publicly accessible internal endpoints, and unintended data exposures across the company's digital footprint. In parallel, Molfar specialists conducted controlled social engineering engagements, posing as regulators, auditors, and IT support personnel to test employee responses to authority-based manipulation and credential solicitation attempts.

Key Findings

The assessment identified a range of exploitable weaknesses across both technical and human layers:

• Several internal subdomains and staging environments were publicly accessible, exposing configuration data and API endpoints that could be leveraged in a targeted attack.
• A subset of employees across multiple departments disclosed sensitive access credentials or internal process details during simulated authority impersonation scenarios, indicating insufficient verification habits.
• Phishing awareness was inconsistent across teams, with higher-risk response rates observed among non-technical staff handling client data and onboarding workflows.

Outcome

The findings gave the client a prioritized, evidence-based roadmap for remediation. Infrastructure exposures were addressed through targeted network reconfiguration, while the social engineering results directly informed a revised security awareness training program focused on the highest-risk employee segments. The assessment provided measurable value in closing gaps before they could be exploited in a real attack — safeguarding both client data and the company's regulatory standing.