Social engineering is the single biggest security threat facing your business.  A social engineering penetration test will help you evaluate your employees’ susceptibility to social engineering attacks.

Educating your employees about how social engineering attacks are carried out and implementing and maintaining appropriate security controls to mitigate them, is critical.

Social engineering testing provides a basis for highlighting issues with operating procedures and developing targeted staff awareness training.

A social engineering penetration test will help you:

  • Establish the publicly available information that an attacker could obtain about your organisation;
  • Evaluate how susceptible your employees are to social engineering attacks;
  • Determine the effectiveness of your information security policy and your cyber security controls at identifying and preventing social engineering attacks; and
  • Develop a targeted security awareness training programme.

What is social engineering?

Attackers masquerade as trusted entities and manipulate victims into compromising their security, transferring money, or providing sensitive information.

Social engineering attacks can occur both online and offline.


One of the most common social engineering methods is phishing.

Phishing attacks involve emails that appear to be from legitimate senders but contain malicious attachments or links.

Phishing emails either use drive-by downloads to install malware on victims’ machines or harvest their credentials.

Is a social engineering penetration test right for you?

If you are responsible for your organisation’s information security, you should ask yourself:

  • What information about your organisation is publicly available that could be used to facilitate social engineering attacks?
  • Are staff vulnerable to phishing and other forms of social engineering?
  • Could a social engineer gain unauthorised access to offices and site locations by exploiting weak security measures?
  • Could an attacker gain access to sensitive information from mislaid documentation?
  • What information could be obtained by someone taking hardware off-site?

Our engagement process

  1. Scoping – Before testing, our consultancy team will discuss your social engineering assessment requirements to define the scope of the test.
  2. Reconnaissance – Our social engineering team uses various intelligence-gathering techniques to collect information from public sources about your organisation.
  3. Assessment – Our social engineering team attempts to gain access to the systems and/or buildings that hold the target information defined by you.
  4. Reporting – The test results will be thoroughly analysed by an IT Governance certified tester and a full report will be prepared for you that sets out the scope of the test, the methodology used and the risks identified
  5. Workshop – Our team can also run a workshop that will help your employees identify and respond to the cyber threats conducted during the exercise.