Home SERVICES
All Services Red Team Operations Active Directory Cloud Security AI Red Teaming
ABOUT US
About Us Certifications FAQ
Process Industries Blog Request a Quote CONTACT
Request a Quote Get Help Now Ask a Question
Services / Social Engineering

Social Engineering Testing & Phishing Simulations

Your technical defences mean nothing if an employee clicks the wrong link or holds the door open for a stranger. We run realistic, measurable social engineering campaigns that expose human risk before real attackers exploit it — phishing simulations, executive whaling, vishing, pretexting, USB drops, and physical access testing, all delivered by a CREST-certified principal consultant with 15 years of offensive security experience.

Phishing Simulation Spear Phishing Vishing Executive Whaling Pretexting USB Drop Attacks Physical Access MITRE ATT&CK Initial Access
Overview

Why Human Risk Is Your Largest Attack Surface

Industry data consistently shows that the majority of successful breaches begin with a human — not a software vulnerability. Attackers invest heavily in social engineering because it works: a convincing pretext bypasses firewalls, EDR, and MFA alike. Social engineering penetration testing gives you an objective, evidence-based measurement of your organisation's susceptibility before a threat actor runs the same campaign for real.

At Cyber Security Pentesting Inc., every social engineering assessment is scoped and executed by Arturs Stay — principal consultant, CREST-certified, OSCP/OSEP credentialed, and 15 years in offensive security. We build custom pretexts, register lookalike domains, clone portals, and craft voice scripts tailored to your industry and threat landscape. You receive per-department risk scores, department-level click and credential metrics, and a prioritised security awareness roadmap that your HR, IT, and executive leadership teams can act on immediately.

Service Breakdown

Attack Campaigns We Run

Every campaign uses real attacker tradecraft. We do not rely on off-the-shelf phishing platforms with default templates. Each engagement is built from scratch to reflect the threats your organisation actually faces.

Email Phishing — Mass Campaigns with Tracking
Broad-coverage phishing campaigns simulating opportunistic threat actors. We register lookalike domains, build pixel-tracked landing pages, and deploy campaigns to your entire workforce or defined segments. Every interaction is tracked: email opens, link clicks, credential entry, file downloads, and time-to-interaction. Results are broken down by department, seniority level, and office location so you know exactly where training investment is needed most.
Lookalike DomainsCredential HarvestingClick TrackingDepartment Breakdown
Spear Phishing — Targeted Executive-Level
Highly personalised attacks against specific individuals using OSINT-gathered intelligence: LinkedIn profiles, press releases, conference speaker bios, corporate filings, and social media. Pretexts reference real projects, colleagues, vendors, and events to maximise credibility. We target finance teams with invoice fraud scenarios, IT personnel with system alert spoofs, and executives with board communication lures — the same vectors used in real business email compromise (BEC) campaigns.
OSINT ReconnaissanceBEC ScenariosInvoice FraudExecutive Targeting
Vishing — Voice-Based Social Engineering
Live telephone-based social engineering calls impersonating IT helpdesk, vendors, financial institutions, or government agencies. We script and execute calls targeting helpdesk staff (password resets, MFA bypass), finance teams (wire transfer authorisation), and executives (information disclosure). Every call is recorded with consent, transcribed, and analysed for susceptibility indicators, enabling targeted training for individuals and teams most likely to be exploited.
Helpdesk ImpersonationMFA BypassWire Transfer FraudCall Recording
Pretexting & Impersonation
Multi-channel deception scenarios built around fabricated identities — new contractors, IT auditors, senior executives, facilities staff, or third-party vendors. We combine email, phone, and in-person vectors within a single campaign to model how sophisticated threat actors chain techniques. Pretexts are validated against your actual org structure, recent hires, and vendor relationships gathered through open-source intelligence to ensure maximum realism.
Identity FabricationMulti-ChannelVendor ImpersonationOSINT-Informed
Executive Whaling
Precision attacks against C-suite, board members, and senior leadership. Whaling campaigns exploit the authority and urgency that executive communications carry. We simulate board-level fraud, M&A information fishing, investor impersonation, and regulatory authority spoofing. Scenarios are drawn from real threat intelligence on attacks targeting Canadian financial services, legal, and technology sector executives — the same industries our Toronto-based clients operate in.
C-Suite TargetingBoard FraudAuthority ExploitationThreat Intel-Driven
USB Drop Attacks
Physical media-based payload delivery using purpose-built devices — USB drives loaded with tracking payloads, HID attack hardware (Rubber Ducky-style), and auto-run lures disguised as company files, performance reviews, or payroll documents. Dropped in car parks, reception areas, and common spaces. Tracks who plugs in the device, what system they use, and whether they open or execute files — a direct measure of curiosity-driven risk across your physical footprint.
USB PayloadsHID DevicesPhysical DropExecution Tracking
Physical Access Testing — Tailgating & Badge Cloning
On-site physical intrusion tests against your premises, data centres, server rooms, and secure areas. We test tailgating controls (door-following without authentication), badge reader vulnerabilities, RFID/NFC badge cloning using portable readers, reception bypass, and visitor management weaknesses. Our testers attempt to reach high-value targets — network ports, workstations, server racks, filing cabinets — and document the access path with photographic evidence, timestamps, and a full narrative report. All physical engagements are conducted under written authorisation with a defined rules of engagement document to ensure legal compliance and tester safety.
TailgatingBadge CloningRFID AttacksPremises IntrusionVisitor BypassPhotographic Evidence
Measurement Framework

What We Measure

Social engineering testing without rigorous measurement is theatre. Every campaign we run produces quantified, benchmarkable data that your CISO, security team, and board can act on. The metrics below are tracked at the individual, department, and organisational level.

Click Rate
% of recipients who clicked phishing links, broken down by department, role, and seniority — benchmarked against industry averages
Credential Yield
% of click-throughs who submitted credentials on harvesting portals — the highest-severity human risk indicator
Department Risk Score
Per-department composite risk rating combining click rate, credential submission, vishing susceptibility, and physical access outcomes
Time-to-Report
How quickly employees identified and escalated suspicious activity to IT or security teams — a key indicator of security culture maturity
Repeat Offender Rate
Individuals who failed multiple campaign vectors — high-priority targets for one-on-one security coaching and additional training
Physical Bypass Success
Number and type of physical access controls defeated — door, badge, reception, secure area — with documented proof of access
Report Package

Deliverables

Every social engineering engagement concludes with a structured report package designed for three audiences: your technical security team, your HR and L&D function, and your executive leadership or board. Findings are never sent by email — we deliver reports in a secure debrief session and walk through every metric, scenario outcome, and recommendation.

  • Executive Summary — Non-technical narrative of campaign scope, key findings, overall human risk rating, and strategic recommendations for leadership and audit committees.
  • Per-Department Risk Scores — Composite risk rating for every department tested, with individual breakdown by campaign vector: phishing click rate, credential submission rate, vishing susceptibility, and physical access outcomes. Includes comparison to prior engagement baselines if available.
  • Individual Interaction Log — Timestamped record of every tracked interaction (link click, credential entry, USB plug-in, call response) with anonymisation options available to comply with your HR policies.
  • Campaign Technical Appendix — Full technical detail on every pretext built, domain registered, landing page deployed, and payload used — with screenshots and source artefacts for your security team's review.
  • Security Awareness Recommendations — Tailored, prioritised training programme recommendations for each department and risk tier, including suggested content, delivery format, and re-test timeline. Mapped to real-world threats facing your industry.
  • Physical Intrusion Evidence Package — Photographic documentation of every physical access control bypassed, with timestamps, access path narrative, and remediation recommendations for your facilities and physical security teams.
  • Remediation Roadmap — Prioritised list of technical and process controls to implement — email gateway tuning, MFA enforcement, physical access hardening, and reporting workflow improvements — each with a recommended implementation timeline.
  • Re-Test Baseline Data — All campaign metrics retained in a structured format to enable direct comparison in future engagements, demonstrating measurable improvement in your security culture over time.
Standards & Frameworks

Methodology References

Our social engineering assessments are grounded in established industry standards and frameworks. We do not invent our own methodology — we apply the standards your auditors, regulators, and insurers recognise.

  • NIST SP 800-61 r3 — Incident Response Handling — Informs how we structure time-to-report measurement and evaluate your organisation's detection and escalation capabilities in the context of a live social engineering incident.
  • Social-Engineer Penetration Testing (SET — Social Engineering Toolkit) — The industry-standard open-source framework for phishing infrastructure, credential harvesting portals, and payload delivery. Deployed alongside custom tooling developed in-house.
  • MITRE ATT&CK — Initial Access (TA0001) — Campaign TTPs are mapped directly to MITRE ATT&CK Initial Access techniques including T1566 (Phishing), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link), T1091 (Replication Through Removable Media), and T1200 (Hardware Additions). Findings reference specific technique IDs to enable threat intelligence and detection engineering alignment.
  • PTES — Penetration Testing Execution Standard, Social Engineering Section — Governs our engagement scoping, rules of engagement documentation, and campaign execution phases.
  • OWASP Testing Guide — Identity Management and Authentication Testing — Applied to credential harvesting analysis and MFA bypass scenario design.
Related Services

Combine Social Engineering with Other Assessments

Social engineering is most powerful when combined with technical testing. Threat actors chain human and technical attacks — your assessment programme should too. These services pair directly with social engineering testing.

06 — Red Team Operations
Red Team Operations
Full-scope adversarial simulations that chain social engineering with technical exploitation across your entire kill chain — from initial phishing access through to data exfiltration.
02 — Network & Infrastructure
External Penetration Testing
Once a phishing campaign yields credentials or a foothold, external pentesting validates what an attacker can reach from that position against your internet-facing infrastructure.
04 — Active Directory Attack
Active Directory Attack
Credential harvesting from phishing campaigns feeds directly into Active Directory attack paths. We test the full chain from vishing-obtained passwords to domain admin compromise.
08 — Compliance Assessments
Compliance-Driven Assessments
PCI-DSS, SOC 2, and ISO 27001 all require evidence of human risk assessment. Social engineering testing results map directly to your compliance reporting deliverables.
Get Started
Request a Social Engineering Assessment

Tell us your industry, headcount, and what you are most concerned about. We will scope a social engineering testing programme sized to your organisation, agree rules of engagement that satisfy your legal and HR teams, and deliver measurable results within a clearly defined timeline.

Request a Social Engineering Assessment →
RELATED SERVICES
RELATED ARTICLES