Phishing & Social Engineering

Social engineering tests your human layer of security. It remains the most common initial-access vector in real attacks. No firewall or endpoint product defends against an attacker who convinces an employee to hand over credentials or run a malicious attachment. We run controlled exercises that measure susceptibility, test your detection and response, and produce training recommendations you can act on. We do not phish your staff to generate a frightening number. We measure whether your controls and people would catch a real attacker, and we report it without blame.

The consultant who scopes your campaign is the consultant who delivers it.

Who this is for / when to test

• Awareness baseline: you are rolling out or refreshing security awareness training and need a real measurement.
• High-value targets: executives, finance and IT administrators who attackers single out.
• Compliance and assurance: PCI-DSS, ISO 27001 and SOC 2 expectations around awareness testing.
• Post-incident: you want to understand exposure after a phishing-related incident.
• Supply-chain concern: you want to test resilience to vendor-impersonation and invoice-fraud pretexts.

What we test

• Phishing (email): targeted campaigns using lookalike domains, display-name spoofing and OSINT-derived pretexts, from broad susceptibility tests to spear phishing of named individuals.
• Credential harvesting: login portals that record the attempt and redirect to the genuine site. We store no credentials and reuse none beyond the assessment.
• Malicious attachment and link simulation: benign payloads that test your email gateway, endpoint protection and user behaviour.
• Smishing and vishing: SMS and voice pretexts (IT support, vendor, executive) that bypass email controls and test verification habits.
• Physical social engineering: where you agree and the law permits, tailgating, badge cloning, unattended-device tests and impersonation.
• Pretexting and elicitation: help-desk, recruiter and researcher pretexts that test whether staff divulge sensitive information.

Our methodology

We follow NCSC phishing guidance and design every exercise to be safe, ethical and educational. We measure detection and response: reporting rates and control effectiveness, not who clicked.

1. Scoping and threat modelling: we agree the workforce in scope, the channels (email, SMS, voice, physical), whether the exercise is announced or unannounced, credential-capture rules and your existing controls.
2. Reconnaissance and pretext development: we run OSINT on your organisation to build relevant pretexts.
3. Campaign execution: we run from infrastructure we control and monitor, never your corporate systems, and we decommission every lookalike domain afterwards.
4. Measurement: we track delivery, click, credential and attachment rates, and above all reporting rates and control performance.
5. Reporting and debrief: you get a clear write-up and a live debrief.
6. Coaching and retest: we coach affected users without punishment and recommend a follow-up campaign to measure improvement.

Testing approaches

• Announced: IT and security know the timing, which suits a controlled baseline.
• Unannounced: only a small control group knows, which gives the most realistic measure of detection and response. We default to this for measuring resilience.
• Hybrid: announced to security, unannounced to the wider workforce, balancing realism with operational safety.

We recommend an unannounced or hybrid approach so the results reflect how your people and controls behave under genuine conditions.

What you get

• An executive summary and a campaign report with metrics, sample emails and landing pages, and analysis of what worked and why.
• Detection and response gap analysis: which controls caught the campaign, which did not, and how to improve.
• Per-finding remediation: targeted training and policy recommendations tied to the weaknesses you exposed.
• Anonymised coaching summaries that identify recurring knowledge gaps.
• A business-risk rating for the exposures found, with a CVSS rating where a technical control failure is involved.
• A debrief call and a follow-up campaign plan to measure progress.

FAQs

How long does a campaign take? A phishing campaign runs over one to three weeks including a reporting window. We schedule vishing and physical exercises separately and confirm timing at scoping.

Will it disrupt staff? No. We design exercises to be safe and educational, and we coach people rather than punish them.

Can it be done remotely? We run email, smishing and vishing remotely. We carry out physical social engineering on-site where it falls in scope.

Do you measure more than click rate? Yes. Click rate alone misleads. We measure detection and response, particularly how many people report the attack and whether your controls catch it.