Phishing Simulation & Social Engineering Testing
Realistic, OSINT-driven phishing campaigns and social engineering assessments — testing your employees' susceptibility to email phishing, spear-phishing, vishing, smishing, and physical pretexting against your actual organisation structure.
Email · Voice · Physical — Every Human Attack Surface
Three distinct attack vector types covering every channel a real social engineer would use — from targeted email campaigns to telephone pretexting and on-site physical testing.
Email Phishing & Spear-Phishing
From broad phishing campaigns testing baseline email susceptibility to hyper-targeted spear-phishing and whaling attacks against executives, finance teams, and IT staff. We develop custom lure documents, credential harvesting pages, and payload delivery pretexts using OSINT gathered from your organisation's public digital footprint.
- Baseline phishing campaigns — full workforce susceptibility baseline
- Spear-phishing against executives & high-value targets (whaling)
- Finance & BEC (Business Email Compromise) scenario simulation
- Custom lure document development (Word macros, PDF payloads)
- Credential harvesting pages — cloned login pages for your platforms
- Click rate, credential submission & reporting rate tracking
Vishing & Smishing
Telephone-based social engineering (vishing) and SMS phishing (smishing) campaigns — simulating IT helpdesk impersonation, bank fraud calls, HR pretexting, and delivery notification smishing. Targeting employees most susceptible to non-email channel manipulation, including finance, HR, and reception staff.
- IT helpdesk impersonation — password reset & MFA bypass
- Executive / senior management impersonation (vishing)
- Finance wire transfer & payment change pretexting
- HR payroll redirect social engineering scenarios
- Smishing — delivery notification & package update lures
- Per-call and per-SMS response rate tracking & reporting
Physical & Pretexting
Physical social engineering testing — tailgating, impersonating third-party vendors, delivery personnel, or IT engineers to gain physical access to restricted areas. Physical testing reveals human security gaps that no email campaign can assess and represents the highest-impact social engineering vector.
- Tailgating & physical access attempts to restricted areas
- Vendor / contractor / IT engineer impersonation
- USB drop attacks — testing physical media security policy
- Dumpster diving & physical information security assessment
- Badge cloning & access control awareness testing
- Post-entry activity and physical security gap reporting
Your Technical Controls Cannot Stop a Convincing Pretext
An organisation can deploy the most sophisticated email gateway, EDR platform, and multi-factor authentication implementation available — and still be compromised in under an hour through a targeted phone call to the right employee. Social engineering bypasses technical controls entirely. It exploits human psychology: authority, urgency, helpfulness, and fear. These are not factors your firewall was designed to defend against.
Phishing simulation gives you empirical, per-employee data on human risk — identifying which departments, seniority levels, and individual employees represent your highest social engineering exposure. Without this data, your security awareness training is operating blind. With it, you have a measurable, targeted improvement programme with before-and-after click rates that quantify your risk reduction.
OSINT-Driven Pretexts
Campaigns built from your organisation's actual public digital footprint — real supplier names, real login pages
Department-Level Risk
Click and credential rates broken down by team, seniority, and location for targeted training
Immediate Training
In-the-moment teachable experience for employees who click or comply — at the exact point of failure
Repeat Campaigns
Baseline, mid-year, and year-end campaigns to measure click rate improvement over a 12-month programme
5-Phase Phishing Simulation Methodology
From OSINT reconnaissance and pretext development through campaign execution, teachable moment delivery, and a quantified risk scoring report with improvement roadmap.
OSINT Reconnaissance & Pretext Development
Before any campaign launches, we gather open-source intelligence on your organisation — employee names and roles from LinkedIn, email format identification, supplier and partner relationships, software platforms (SSO providers, HR systems, collaboration tools), and credential exposure on paste sites. This intelligence drives pretext development: campaigns use real supplier names, mimic real internal processes, and reference real information that makes them convincingly legitimate to your employees.
Campaign Design & Infrastructure Setup
We build campaign infrastructure: phishing domains closely resembling your legitimate domains or key suppliers, credential harvesting landing pages cloning your actual login pages (Microsoft 365, Okta, Google Workspace), and custom payload documents where applicable. Every campaign element reflects real-world attacker resources — not generic training-tool simulations that experienced employees immediately recognise as fake.
Campaign Execution & Data Collection
Phishing emails are deployed to all in-scope employees, with each interaction recorded per employee: did they open the email? Click the link? Submit credentials? Download the attachment? For vishing campaigns, targeted calls are made with scripted pretexts and outcomes recorded individually. All data is collected per-employee for individual risk scoring and per-department for group risk analysis.
Teachable Moments & Immediate Training
Employees who click, submit credentials, or comply with a social engineering attempt are immediately redirected to an in-the-moment training page — explaining what happened, why it was a simulation, and what warning signs they should look for in future. This immediate, contextual training at the moment of failure is significantly more effective than periodic classroom-style security awareness programmes scheduled weeks later.
Reporting, Risk Scoring & Improvement Roadmap
You receive a comprehensive campaign report: overall click and credential submission rates compared to industry benchmarks, department-level and individual employee risk scores, the specific phishing indicators employees most frequently missed, and a targeted training and repeat-campaign schedule designed to measurably reduce click rates over the following 12 months.
Full Human Attack Surface Coverage
From baseline phishing campaigns and executive whaling through credential harvesting, vishing, physical access, and repeat metric-driven improvement programmes.
Email Phishing Campaigns
High-volume email phishing campaigns establishing a quantified baseline click rate for your entire workforce — measured against industry benchmarks for your sector and employee count, providing a quantified starting point for your human risk improvement programme.
Spear-Phishing & Whaling
Hyper-targeted spear-phishing campaigns against executives, finance leadership, and IT administrators — using OSINT to build highly personalised pretexts that accurately mimic the real threats these high-value individuals face from sophisticated threat actors.
Credential Harvesting Simulation
Cloned login pages for your actual SSO, email, and collaboration platforms — measuring which employees will submit credentials to a convincing lookalike page, identifying your highest-risk social engineering outcome and the employees most vulnerable to credential theft.
Vishing (Voice Phishing)
Targeted telephone social engineering — IT helpdesk impersonation, executive pretexting, and finance wire transfer scenarios — measuring your workforce susceptibility to voice-based manipulation, particularly for finance, HR, and reception-level employees.
Physical Social Engineering
On-site physical intrusion attempts — tailgating, vendor impersonation, USB drop testing — assessing whether your physical security controls and employee vigilance prevent unauthorised access to restricted areas and sensitive hardware.
Repeat Campaigns & Metrics
Scheduled repeat campaigns — baseline, mid-year, year-end — with trend analysis showing click rate improvement over time and per-department risk scoring tracking the effectiveness of your security awareness training investment over a 12-month programme.
Phishing Simulation That Produces Real Risk Reduction
The difference between a phishing simulation that produces a report and one that delivers measurable human risk improvement lies in the quality of the pretext, the immediacy of the training, and the structure of the follow-on programme.
OSINT-Built Pretexts
Every campaign pretext is built from real intelligence about your organisation — real supplier names, real internal process language, real login page clones. Not generic templates that experienced employees immediately identify as simulation exercises.
Per-Employee Risk Scoring
Individual employee risk scores, not just aggregate click rates. Identifying your highest-risk individuals by name — with evidence of their specific interaction — enables targeted, proportionate training rather than blanket mandatory awareness training.
Immediate Teachable Moments
Employees who click or comply are immediately redirected to contextual in-the-moment training — the most effective security awareness intervention. Not an email follow-up two days later, but an educational response at the exact moment of failure.
12-Month Improvement Roadmap
A single phishing simulation is a measurement. A scheduled 12-month programme is an improvement strategy — with a campaign and training schedule designed to deliver measurable, quantified click rate reduction you can report to your board.
Tooling & Frameworks We Use
Frequently Asked Questions
Everything you need to know about phishing simulation testing
Ready to Measure Your Human Risk?
A phishing simulation gives you empirical data on your most underestimated attack surface — your people. Schedule a scoping call to define your campaign scope, target departments, attack vector mix, and 12-month improvement programme.
Get in Touch
Ready to secure your future? Reach out to us for a consultation.