SOCIAL ENGINEERING

What is social engineering?

Social engineering is how attackers get past your technical controls by going through your people instead. We call staff, show up at reception, follow someone through a door, and see what happens.

Your firewall won’t stop someone holding a door open. Endpoint protection won’t catch a password read out over the phone. If you haven’t tested the human layer, you don’t know how it holds up.

What we test

• Vishing (voice phishing) – calling staff under a pretext to get credentials, sensitive info, or actions like password resets
• Pretexting – fabricated scenarios to build trust and gain access. IT support, contractors, delivery drivers, whoever fits the target
• In-person impersonation – turning up at your premises as a visitor, auditor, or new starter and seeing how far we get
• Tailgating – following authorised staff through controlled doors without credentials
• Baiting – dropping USB drives in common areas to see if anyone plugs them in
• Information gathering – approaching staff in casual conversation and seeing what they give away
• Dumpster diving – going through your bins for documents, credentials, or hardware you thought was gone

How we run it

1. Scenario design

We build pretexts that make sense for your industry, your org structure, and the threats you actually face. What would a real attacker use? What’s already public that makes a story more convincing? We work this out during scoping.

2. Target selection

Depending on what you want tested, we go after specific roles (reception, help desk, finance, execs) or run broader campaigns across the business. We agree targets before we start.

3. Execution

We run the scenarios. Every interaction gets documented: the pretext, how the person responded, what they gave up, what access we got. We don’t name individuals in reporting unless you specifically ask us to.

4. Metrics

We track the numbers: how many people complied, how many pushed back, how many reported the attempt properly. If you’ve done this before, we compare against your previous results so you can see whether things are getting better.

5. Reporting and recommendations

You get anonymised results, the common failure patterns we spotted, and specific recommendations for your awareness training. If you want, we can also run a staff briefing using the real scenarios from the engagement. People pay a lot more attention when you show them what actually worked against their own organisation.

Why bother testing this

People are still the easiest way in. Technical controls keep improving, but human behaviour doesn’t patch itself.

Testing gives you actual numbers on how your staff respond, not assumptions. It tells you which departments or roles are weakest, whether people report suspicious approaches through proper channels, and whether that awareness training you paid for is doing anything. A lot of compliance standards also require you to assess awareness, not just deliver a training module and tick the box.

Organisations that run these assessments regularly see measurable improvement. The ones that don’t are guessing.