Social Engineering


The objective in email-based social engineering (“phishing”) is to test user security awareness by manipulating target individuals to perform malicious actions or provide sensitive information over email. This is accomplished using a variety of standard scenarios or custom-tailored situations. The content used in these scenarios ranges from generic, spam-like messages to customer-specific emails that are designed to appear to originate from internal users, third-party service providers, or customers. The goal is to obtain user credentials or gain direct system access, though reduced or alternative goals may be specified.

Key benefits

Benefits of social engineering testing

Identified risks

o Understand how vulnerable your employees are to social engineering scams like spear phishing and business email compromise attacks.

Reveals information footprint

o Learn what an attacker could find out about your company and employees from freely available information.

Evaluate defenses

o Put your organization's cybersecurity controls to the test to ensure they can effectively detect and defend against phishing attacks.

Raises cyber awareness

A simulated phishing assessment can be used to highlight good and poor security practices and areas for improvement.

Enhance security training

The results of a simulated social engineering assessment can be used to improve employee security awareness training programs.


Our phishing services

Phishing-as-a-service - Continuous phishing campaigns sent randomly to your employees

Surveys show time and time again that phishing campaigns are here to stay in the threat landscape, and your security team needs to have the proper tools and knowledge to mitigate this attack vector. It’s important to state that phishing attacks can’t be prevented purely through technical means, as seen by real life situations in which the creativity of attackers really shines, through oftentimes deep knowledge of how the victim corporate environment works and finding weak spots in which an employee can be exploited through a custom crafted email. Our phishing campaigns can be also custom tailored to your environment’s specific exploitable workflows just like a real APT would perform, in order to really understand your company’s security posture against these threats, and create the other kind of campaign, the awareness campaign, with a bigger success rate amongst the employees. Our key to success is making your employees the main weapon against real phishing attacks.

Business Email Compromise - Campaigns designed to compromise corporate email password.

Endpoint Compromise - campaigns that contains malicious documents

Every day, hundreds of thousands attachments are downloaded and opened by employees with disregard of the sender or the type of file opened, relying on security tools to prevent any kind of security breach. Endpoint compromise is often achieved through this kind of file handling oversight, and the results are oftentimes disastrous. We can also prevent and raise awareness of these dangers by actively doing red team campaigns with malicious documents that are part of complex custom scenarios specifically created for your corporate environment, blending in just like a real attack would. These campaigns can show you how vulnerable you can be in case of a real life attack, without the nasty repercussions. They can also greatly help your security team to focus and create a workflow around mitigating these kinds of malicious files by following our recommendations that are highly dependent on the current security posture you have.


A typical social engineering assessment involves


Using open-source intelligence collection techniques (OSINT), our team of ethical hackers seeks to identify valuable company and employee information that could be used to target your company and improve the success rate of a simulated social engineering assessment.


o Using their knowledge of the latest social engineering tactics, our experts will carefully prepare your phishing test to ensure that it is as authentic as possible and has the best chance of reaching its target.


We run the phishing test and, if it is part of the assessment, we fake all compromised users to extend network privileges and make fraudulent requests, such as those common in sales fraud and Business Email Compromise attacks.


Upon completion of the social engineering operation, we document the results and provide prioritized recommendations to address identified risks and improve security awareness training programs.


Frequently asked questions about social engineering and phishing

Social engineering is an attack vector commonly used by cybercriminals to compromise the cybersecurity of organizations. The term describes the use of psychological manipulation to get users to disclose sensitive information and/or perform unwanted actions, such as opening malicious attachments.

Phishing is the mass distribution of e-mails and other electronic messages designed to trick users into divulging sensitive data such as account passwords and credit card information.

People are often the weakest link in the security chain. Phishing allows criminals to target people on masses and grab valuable information. The wide availability of phishing tools on the Internet has made it possible for attackers with little technical knowledge to carry out attacks.

Employee training, solid security measures, email authentication, and proactive monitoring of networks and endpoints are just a few of the measures that can help organizations effectively prevent phishing attacks.

In a black box social engineering simulation, our consultants have no prior knowledge of your organization's environment. A reconnaissance is conducted to determine information about employees and security controls. A white-box testing approach is used in cases where phishing tests target specific employees using previously provided email addresses.

Anti-phishing is a collective term for the tools and services that help companies detect and prevent phishing attacks.

Baiting describes the psychological manipulation techniques cybercriminals use to trick people into revealing sensitive information such as login credentials for email and online banking accounts. Hackers go to great lengths to spoof well-known companies and invent fake offers, service updates, and security alerts.

Discuss your cyber security needs