Social Engineering Assessment

  • Home
  • Services
  • Social Engineering

Assessing the Human Element of Your Security

Our Social Engineering Assessment services simulate real-world attacks to provide you with a current view of the human-related vulnerabilities and threats to your organisation. These 'human hacking' attacks involve our consultants impersonating a trusted individual in an attempt to gain information or access to your information and network infrastructure.

Key Features of Our Assessments

  • Test Your Training: Allows you to test the effectiveness of your security awareness training programmes, or lay the foundation for creating one.
  • Tailored Objectives: We agree on specific, measurable test objectives tailored to test key policies and processes within your organisation.
  • Comprehensive Reconnaissance: We use different resources to gather information, including corporate websites, public search databases, job sites, waste reconnaissance ('bin diving'), and public venues.
  • Actionable Reporting: The final deliverable is a detailed report about the policies that were tested, the results of each attempt, and clear recommendations for improvement.

Our Social Engineering Services

Request a Consultation
Image of a person being phished

1. Physical Security Testing

Our physical security testing begins with passive Internet reconnaissance, using publicly available sources to gather relevant information such as office locations, employee names, and contact details. This informs our on-site activities.

On-Site Assessment Process

Our consultants will conduct a high-level assessment of your physical security controls, including:

  • Examining physical threats to your buildings.
  • Identifying examples of good and poor security practise.
  • Assessing physical access controls around IT assets.
  • Reviewing network port (LAN jack) access controls.

Please note: Our techniques are non-destructive. Any potentially disruptive techniques are only ever attempted with your explicit, prior permission.

Common Techniques We Employ

  • Malicious Media Drops: USB sticks with enticing labels like "Q3 Payroll" are left in corridors, washrooms, and break areas to see if they are plugged into company machines.
  • "Tailgating" & Impersonation: Following authorised staff through secure doors, or impersonating service personnel with counterfeit badges to gain entrance to facilities.
  • Information Gathering: Attempting to photograph sensitive material or observe staff security awareness at their workstations (e.g., unlocked drawers, visible passwords).
  • Asset Removal Test: Attempting to remove physical assets (which are always returned) to demonstrate a significant security risk without obstructing business operations.

2. Phishing & Vishing Assessment

These remote assessments begin with passive internet reconnaissance to gather information about your company and employees, making the simulated attacks more believable and effective.

Vishing (Voice Phishing) Services

Using information gathered during reconnaissance, our consultants will impersonate a trusted individual (e.g., an IT helpdesk technician) and make phone calls to people within your organisation. The objective is to persuade users to divulge sensitive information, such as their login credentials, in violation of company policy.

Image of a person being phished

Targeted Email Phishing Campaigns

We send customised emails to individuals and groups to entice them to click a link, open an attachment, or enter credentials into a fake login page. We offer campaigns at three levels:

  • Basic: A phishing email is sent to track how many users click the malicious link.
  • Intermediate: A link directs users to a fake login page to capture both clicks and credential submissions.
  • Advanced: A full simulation using spear phishing and real-world attack techniques to attempt to gain a foothold on the network.