Social Engineering - Phishing, Vishing, and Physical Vectors
Your firewalls don't open phishing links. Your people do. Pentiq's social engineering testing measures, in controlled conditions, how susceptible your organisation actually is to the human-factor attacks that drive most real breaches - and gives you data your awareness programme can use.
Testing Methods
Comprehensive social engineering attack simulation
Phishing Campaigns
Email-based social engineering with varying sophistication levels, from basic to highly targeted spear-phishing.
- • Generic phishing templates
- • Targeted spear-phishing
- • Executive impersonation
- • Credential harvesting
Vishing (Voice Phishing)
Telephone-based social engineering using agreed pretexts and scenarios to test employee response.
- • IT support impersonation
- • Vendor/supplier calls
- • Executive assistant targeting
- • Password reset requests
Smishing (SMS Phishing)
Text message-based social engineering targeting mobile device users with common attacker lures.
- • Account security alerts
- • Package delivery notices
- • IT system notifications
- • Survey or prize scams
Measurement & Metrics
Quantifiable security awareness assessment
Open Rate
Percentage of employees who opened suspicious emails or messages.
Click Rate
Percentage who clicked on malicious links or attachments.
Credential Submission
Percentage who entered credentials on fake login pages.
Reporting Rate
Percentage who properly reported suspicious communications.
Simulation Scenarios
Realistic social engineering scenarios tailored to your environment
IT Support Impersonation
Attackers posing as internal IT support requesting credentials or system access.
Executive Impersonation
CEO fraud and business email compromise scenarios targeting finance and HR teams.
Vendor/Supplier Communications
Malicious emails appearing to come from legitimate business partners or suppliers.
System Security Alerts
Fake security notifications claiming account compromise or required updates.
Document Sharing Lures
Malicious attachments disguised as legitimate business documents or reports.
Survey and Research Requests
Fake surveys or research requests designed to harvest personal information.
Ethics & Safeguards
How we keep social engineering safe
Social engineering testing only works if it's done responsibly. Every engagement is bounded by written rules of engagement agreed in advance - never improvised, never punitive, and never beyond the scope your team has signed off. The aim is improving resilience, not catching people out.
Controlled and proportionate
Scoped, rate-limited, and proportionate to your environment. Lures, volumes, and pretexts are agreed with the project sponsor in advance.
Agreed in writing before launch
Signed rules of engagement cover targeted teams, exclusions (clinical, customer-facing, or vulnerable employees), test windows, and escalation paths.
No real credentials are misused
Submitted credentials are recorded for measurement only, reported back so accounts can be reset, and not retained beyond the engagement report.
HR, legal, and works council ready
Engagement design can incorporate HR sign-off, internal-comms requirements, and works council policies. Announced, semi-announced, or blind delivery.
Deliverables
Comprehensive reporting and improvement guidance
Executive Dashboard
High-level metrics and trends suitable for board and executive reporting.
Detailed Analytics
Departmental breakdown, individual responses, and vulnerability patterns.
Training Recommendations
Targeted awareness improvement suggestions based on simulation results.
Comparative Benchmarking
Industry comparison and improvement tracking over time.
Technical Evidence
Screenshots, response logs, and technical details for security teams.
Remediation Guidance
Specific steps to improve security awareness and reduce human-factor risk.
Common questions
Frequently asked questions.
What kinds of social engineering do you test?
Phishing (email), vishing (phone), smishing (SMS), and physical vector testing where authorised. Engagements can target broad employee populations or specific high-risk roles such as finance or executive teams.
Do we have to inform employees in advance?
That's your decision. Standard engagements are blind to maximise realism. If your organisation has policy or works council requirements, we can run announced exercises that still produce meaningful awareness data.
Is HR or legal involved in the engagement design?
Where your policy, HR, internal communications, or works council requirements need it, yes. We can build sign-off, opt-out criteria, exclusions (e.g. clinical, customer-facing, or vulnerable employees), and announced or semi-announced delivery into the rules of engagement before launch.
What happens to credentials captured during the simulation?
Submitted credentials are recorded for measurement only - we never use them to access live systems. We report submitted credentials to your security team so the accounts can be reset, and we never store them beyond what's required for the engagement report.
What metrics do we get back?
Click rate, credential submission rate, reporting rate (a key indicator of awareness programme efficacy), time-to-detection, and qualitative observations about user behaviour. Reports are anonymised at the individual level by default.
Can this support our security awareness programme?
Yes. That's the most common use case. Findings inform targeted training content, policy updates, and follow-up exercises. We can also run simulations on a recurring cadence to track improvement over time.
Get started
Measure susceptibility, then improve it.
The aim is improving resilience, not naming and shaming. Reports include the metrics, the lessons, and a defensible written record for compliance.