Skip to main content

Testing & Assurance / Social Engineering

The attack your
controls can't block.

Most confirmed breaches start with a human. Phishing, vishing, and pretexting bypass technical controls entirely — they exploit trust, urgency, and habit. The only way to know how exposed you are is to test it under realistic, controlled conditions before an attacker does it for real.

Book an assessment → All testing services

The reality

Technical controls don't stop humans.

74%
of breaches involve a human element — phishing, credential misuse, or social engineering. Verizon DBIR 2024.
60s
Median time for the first user to click a phishing link after a campaign is launched. Most clicks happen within the first minute.
Organisations that run regular phishing simulations see click rates drop by up to three times compared to untrained populations.

What we test

Realistic. Targeted. Measurable.

Our social engineering assessments are designed to reflect actual attacker behaviour — not generic commodity campaigns. We research your organisation, your people, and your publicly available information before designing scenarios that reflect the real threat.

Spear phishing campaigns

Targeted email phishing designed to reflect realistic pretexts — supplier impersonation, internal IT requests, executive communications. Campaigns include credential harvesting pages, malicious attachment simulations, and click tracking with per-department reporting.

Vishing (voice phishing)

Controlled phone-based social engineering targeting your staff — help desk impersonation, vendor calls, executive pretexting. Tests whether your team will disclose sensitive information or take action based on a caller's claimed identity alone.

Smishing & multi-channel attacks

SMS-based phishing and combined multi-channel attack simulations. Particularly effective where staff use personal or corporate mobile devices for business communications — a growing attack surface for Australian organisations.

Pretexting scenarios

Complex multi-step scenarios involving extended impersonation — a new supplier, an auditor, a regulator. Tests how far a motivated attacker can get through purely social means before anyone questions the interaction.

Physical social engineering

Tailgating, impersonation of contractors or visitors, and USB drop tests at your physical premises. Tests whether your physical security and staff awareness controls hold up against a determined attacker with a believable pretext.

OSINT & reconnaissance

Open source intelligence gathering on your organisation and key personnel — the same research an attacker would do before launching a targeted campaign. Delivered as a standalone output or as context for a phishing campaign.

What you receive

Output that drives genuine improvement.

Every social engineering engagement concludes with a structured report that goes beyond click rates. We provide per-department susceptibility breakdown, behavioural analysis of who did what and why, and a targeted training recommendation — including specific KnowBe4 training modules matched to the attack types your staff fell for.

Importantly, we don't name and shame individuals. The output is designed to help the organisation improve — not to identify specific employees for disciplinary action. This framing gets significantly better engagement from staff in subsequent awareness activities.

Know your human
attack surface.

A phishing assessment is one of the highest-ROI security tests available — inexpensive to run, immediate in its findings, and directly actionable. Discuss a campaign scope with us.

Book an assessment →All testing services