Home SERVICES
All Services Red Team Operations Active Directory Cloud Security AI Red Teaming
ABOUT US
About Us Founder, Arturs Stay Certifications Why Organizations Trust CSPI FAQ
Process Partners Industries Blog Request a Quote CONTACT
Request a Quote Get Help Now Ask a Question
Services / Social Engineering

Social Engineering Testing & Phishing Simulations

Your technical defences mean nothing if an employee clicks the wrong link or holds the door open for a stranger. We run realistic, measurable social engineering campaigns that expose human risk before real attackers exploit it, phishing simulations, executive whaling, vishing, pretexting, USB drops, and physical access testing, all delivered by a CREST-certified principal consultant with 20+ years of enterprise technology and cybersecurity experience.

Phishing Simulation Spear Phishing Vishing Executive Whaling Pretexting USB Drop Attacks Physical Access MITRE ATT&CK Initial Access
TL;DR, Social Engineering & Phishing Testing

Social engineering testing measures the human attack surface of your organisation, through targeted phishing, spear phishing, vishing, USB drop attacks, pretext-based intrusion, and physical access testing. CSPI engagements are principal-led and tailored to your industry threat model: Bay Street financial services see counterparty-impersonation phishing; Ontario healthcare sees ransomware-precursor credential harvesting; SaaS organisations see executive whaling tied to wire-transfer authorisation. Engagement length is 2-6 weeks depending on attack vectors in scope. Deliverables include click-rate metrics, credential-capture statistics, response-time analysis, dwell-time measurement, and detection-gap mapping for your SOC. Aligned to NIST SP 800-115, MITRE ATT&CK Initial Access, and PCI-DSS social engineering requirements. Includes blue team debrief.

Why Human Risk Is Your Largest Attack Surface

Industry data consistently shows that the majority of successful breaches begin with a human, not a software vulnerability. Attackers invest heavily in social engineering because it works: a convincing pretext bypasses firewalls, EDR, and MFA alike. Social engineering penetration testing gives you an objective, evidence-based measurement of your organisation's susceptibility before a threat actor runs the same campaign for real.

At Cyber Security Pentesting Inc., every social engineering assessment is scoped and executed by Arturs Stay, principal consultant, CREST-certified, OSCP/OSEP credentialed, and 20+ years of enterprise technology and cybersecurity experience. We build custom pretexts, register lookalike domains, clone portals, and craft voice scripts tailored to your industry and threat landscape. You receive per-department risk scores, department-level click and credential metrics, and a prioritised security awareness roadmap that your HR, IT, and executive leadership teams can act on immediately.

Attack Campaigns We Run

Every campaign uses real attacker tradecraft. We do not rely on off-the-shelf phishing platforms with default templates. Each engagement is built from scratch to reflect the threats your organisation actually faces.

Email Phishing, Mass Campaigns with Tracking
Broad-coverage phishing campaigns simulating opportunistic threat actors. We register lookalike domains, build pixel-tracked landing pages, and deploy campaigns to your entire workforce or defined segments. Every interaction is tracked: email opens, link clicks, credential entry, file downloads, and time-to-interaction. Results are broken down by department, seniority level, and office location so you know exactly where training investment is needed most.
Lookalike DomainsCredential HarvestingClick TrackingDepartment Breakdown
Spear Phishing, Targeted Executive-Level
Highly personalised attacks against specific individuals using OSINT-gathered intelligence: LinkedIn profiles, press releases, conference speaker bios, corporate filings, and social media. Pretexts reference real projects, colleagues, vendors, and events to maximise credibility. We target finance teams with invoice fraud scenarios, IT personnel with system alert spoofs, and executives with board communication lures, the same vectors used in real business email compromise (BEC) campaigns.
OSINT ReconnaissanceBEC ScenariosInvoice FraudExecutive Targeting
Vishing, Voice-Based Social Engineering
Live telephone-based social engineering calls impersonating IT helpdesk, vendors, financial institutions, or government agencies. We script and execute calls targeting helpdesk staff (password resets, MFA bypass), finance teams (wire transfer authorisation), and executives (information disclosure). Every call is recorded with consent, transcribed, and analysed for susceptibility indicators, enabling targeted training for individuals and teams most likely to be exploited.
Helpdesk ImpersonationMFA BypassWire Transfer FraudCall Recording
Pretexting & Impersonation
Multi-channel deception scenarios built around fabricated identities, new contractors, IT auditors, senior executives, facilities staff, or third-party vendors. We combine email, phone, and in-person vectors within a single campaign to model how sophisticated threat actors chain techniques. Pretexts are validated against your actual org structure, recent hires, and vendor relationships gathered through open-source intelligence to ensure maximum realism.
Identity FabricationMulti-ChannelVendor ImpersonationOSINT-Informed
Executive Whaling
Precision attacks against C-suite, board members, and senior leadership. Whaling campaigns exploit the authority and urgency that executive communications carry. We simulate board-level fraud, M&A information fishing, investor impersonation, and regulatory authority spoofing. Scenarios are drawn from real threat intelligence on attacks targeting Canadian financial services, legal, and technology sector executives, the same industries our Toronto-based clients operate in.
C-Suite TargetingBoard FraudAuthority ExploitationThreat Intel-Driven
USB Drop Attacks
Physical media-based payload delivery using purpose-built devices, USB drives loaded with tracking payloads, HID attack hardware (Rubber Ducky-style), and auto-run lures disguised as company files, performance reviews, or payroll documents. Dropped in car parks, reception areas, and common spaces. Tracks who plugs in the device, what system they use, and whether they open or execute files, a direct measure of curiosity-driven risk across your physical footprint.
USB PayloadsHID DevicesPhysical DropExecution Tracking
Physical Access Testing, Tailgating & Badge Cloning
On-site physical intrusion tests against your premises, data centres, server rooms, and secure areas. We test tailgating controls (door-following without authentication), badge reader vulnerabilities, RFID/NFC badge cloning using portable readers, reception bypass, and visitor management weaknesses. Our testers attempt to reach high-value targets, network ports, workstations, server racks, filing cabinets, and document the access path with photographic evidence, timestamps, and a full narrative report. All physical engagements are conducted under written authorisation with a defined rules of engagement document to ensure legal compliance and tester safety.
TailgatingBadge CloningRFID AttacksPremises IntrusionVisitor BypassPhotographic Evidence

What We Measure

Social engineering testing without rigorous measurement is theatre. Every campaign we run produces quantified, benchmarkable data that your CISO, security team, and board can act on. The metrics below are tracked at the individual, department, and organisational level.

Click Rate
% of recipients who clicked phishing links, broken down by department, role, and seniority, benchmarked against industry averages
Credential Yield
% of click-throughs who submitted credentials on harvesting portals, the highest-severity human risk indicator
Department Risk Score
Per-department composite risk rating combining click rate, credential submission, vishing susceptibility, and physical access outcomes
Time-to-Report
How quickly employees identified and escalated suspicious activity to IT or security teams, a key indicator of security culture maturity
Repeat Offender Rate
Individuals who failed multiple campaign vectors, high-priority targets for one-on-one security coaching and additional training
Physical Bypass Success
Number and type of physical access controls defeated, door, badge, reception, secure area, with documented proof of access

Deliverables

Every social engineering engagement concludes with a structured report package designed for three audiences: your technical security team, your HR and L&D function, and your executive leadership or board. Findings are never sent by email, we deliver reports in a secure debrief session and walk through every metric, scenario outcome, and recommendation.

  • Executive Summary, Non-technical narrative of campaign scope, key findings, overall human risk rating, and strategic recommendations for leadership and audit committees.
  • Per-Department Risk Scores, Composite risk rating for every department tested, with individual breakdown by campaign vector: phishing click rate, credential submission rate, vishing susceptibility, and physical access outcomes. Includes comparison to prior engagement baselines if available.
  • Individual Interaction Log, Timestamped record of every tracked interaction (link click, credential entry, USB plug-in, call response) with anonymisation options available to comply with your HR policies.
  • Campaign Technical Appendix, Full technical detail on every pretext built, domain registered, landing page deployed, and payload used, with screenshots and source artefacts for your security team's review.
  • Security Awareness Recommendations, Tailored, prioritised training programme recommendations for each department and risk tier, including suggested content, delivery format, and re-test timeline. Mapped to real-world threats facing your industry.
  • Physical Intrusion Evidence Package, Photographic documentation of every physical access control bypassed, with timestamps, access path narrative, and remediation recommendations for your facilities and physical security teams.
  • Remediation Roadmap, Prioritised list of technical and process controls to implement, email gateway tuning, MFA enforcement, physical access hardening, and reporting workflow improvements, each with a recommended implementation timeline.
  • Re-Test Baseline Data, All campaign metrics retained in a structured format to enable direct comparison in future engagements, demonstrating measurable improvement in your security culture over time.

Methodology References

Our social engineering assessments are grounded in established industry standards and frameworks. We do not invent our own methodology, we apply the standards your auditors, regulators, and insurers recognise.

  • NIST SP 800-61 r3, Incident Response Handling, Informs how we structure time-to-report measurement and evaluate your organisation's detection and escalation capabilities in the context of a live social engineering incident.
  • Social-Engineer Penetration Testing (SET, Social Engineering Toolkit), The industry-standard open-source framework for phishing infrastructure, credential harvesting portals, and payload delivery. Deployed alongside custom tooling developed in-house.
  • MITRE ATT&CK, Initial Access (TA0001), Campaign TTPs are mapped directly to MITRE ATT&CK Initial Access techniques including T1566 (Phishing), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), T1091 (Replication Through Removable Media), and T1200 (Hardware Additions). Findings reference specific technique IDs to enable threat intelligence and detection engineering alignment.
  • PTES, Penetration Testing Execution Standard, Social Engineering Section, Governs our engagement scoping, rules of engagement documentation, and campaign execution phases.
  • OWASP Testing Guide, Identity Management and Authentication Testing, Applied to credential harvesting analysis and MFA bypass scenario design.
Request a Social Engineering Assessment

Tell us your industry, headcount, and what you are most concerned about. We will scope a social engineering testing programme sized to your organisation, agree rules of engagement that satisfy your legal and HR teams, and deliver measurable results within a clearly defined timeline.

Request a Social Engineering Assessment →

Frequently Asked Questions

What types of social engineering campaigns do you run?

Email phishing at multiple sophistication levels, executive whaling against named targets, voice phishing (vishing) against support and helpdesk paths, SMS phishing where in scope, pretexting against specific business processes (vendor impersonation, IT impersonation, finance request impersonation), and physical access testing where the engagement scope includes site visits. Campaigns can be standalone or chained as the initial-access vector for a larger red team engagement.

How do you obtain and document authorization before a campaign?

Every social engineering engagement begins with a written rules-of-engagement document signed by an authorised executive sponsor. The document specifies in-scope targets, out-of-scope individuals, permitted techniques, communication channels for active campaigns, escalation paths, and explicit authorisation to send simulated phishing emails and receive captured credentials. No campaign begins without this document in place.

How are captured credentials handled under PIPEDA?

Captured credentials are treated as personal information under PIPEDA Schedule 1, Principle 7. They are stored encrypted in an engagement-specific data vault, never sent in plaintext over email, and destroyed at engagement closure. We do not retain captured credentials after the engagement except as required to support the report and remediation re-test, and even then only in aggregated form rather than individual records.

How do you measure success in a phishing campaign?

Click rates and credential-entry rates are surface metrics, but the meaningful measurement is detection and response. Did the security team see the campaign? How long did it take from first phishing email to first alert? Were the captured credentials used against real systems before they were reset? Did users report the email through the right channel? Reports cover all four dimensions, not just the headline click rate.

Do you train users after the engagement, or just test them?

Testing is the primary deliverable. We do not run user awareness training as a service. Engagement reports include the data needed for the customer awareness team to design targeted interventions: which roles fell for which lure, which detection paths worked, and which controls (mail filtering, browser warnings, MFA prompts) caught what. The customer existing training program then becomes evidence-based.

How long does a social engineering engagement take?

Standalone email phishing campaigns typically run two to four weeks including reconnaissance, lure development, sending windows, follow-up data collection, and reporting. Vishing and multi-channel campaigns add one to two weeks. Engagements chained into a larger red team operation run inside the parent engagement window rather than as a separate timeline.

Related reading

Explore further

Prefer email? Send a scoping request and we will respond with next steps.