Hard2bit

Retail · Human risk

Social engineering and human risk programme at a retail chain

A Spanish retail chain with 80 stores and around 1,500 employees stopped a €240,000 CEO fraud at the last minute — through luck, not process. The board commissioned Hard2bit to run a social engineering assessment, authorised in writing, followed by a six-month human risk programme. Phishing click rates fell from 31% to 7% and the reporting rate grew ninefold.

Sector

Retail · distribution

Size

~1,500 employees · 80 stores

Scope

Phishing · vishing · physical intrusion

Platform

CortexShield · human risk management

Duration

Assessment + 6-month programme

Outcome

Clicks 31%→7% · reporting 4%→38%

The starting point

It started with an email. The finance office received an urgent request for a €240,000 transfer, apparently signed by the managing director. The payment was already in the approval chain when an employee felt something was off about the tone and rang the director's office directly. No such request existed. The fraud was stopped in time, but the board drew the right conclusion: they had been saved by one person's instinct, not by any process designed to catch it.

The board commissioned Hard2bit to run a genuine social engineering assessment, authorised in writing with agreed rules of engagement — what could be attempted, where, and how far. Three vectors: email phishing across the entire workforce in segmented waves (head office versus stores), vishing calls to the customer service team and to stores while posing as IT support, and pretext-based physical intrusion at five selected stores, presenting ourselves as engineers from the POS terminal supplier.

The baseline was sobering: 31% of the workforce clicked the phishing emails and 14% handed over their credentials. On the phone, six out of ten stores gave up sensitive information or carried out actions requested by the caller. And at three of the five stores visited, the physical pretext gained access to the back room and to an unlocked workstation. Only 4% of those who received the phishing reported it.

How we approached it

  1. Authorised assessment across three vectors — segmented phishing waves, vishing under an IT-support pretext and physical intrusion at stores, all under written authorisation from the board, with a bounded scope and without singling out any individual employee: results were handled in aggregate only.
  2. Role-based micro-training on CortexShield — a till operator's threat scenario has nothing in common with a treasury clerk's or an IT admin's. Training pills of under five minutes, built around the very pretexts we had used against each group, deployed and measured through CortexShield, Hard2bit's human risk management platform.
  3. Monthly simulations of increasing difficulty — from generic lures to tailored pretexts (the POS supplier, an internal HR campaign, a payroll incident), measured by role and by site so reinforcement went wherever the data said it was needed.
  4. Dual-channel payment verification procedure — no payment order or bank account change is executed without confirmation through a second channel (a call to a known number, never the one in the email itself). Simple, mandatory and with no exceptions for seniority: it applies even when "the managing director" is asking.
  5. One-click reporting channel with feedback — a report button in the mail client, a response within minutes, and one non-negotiable cultural rule: celebrate the report, never punish the click. Reporters got a thank-you; nobody was named for falling for a lure.

Results

31% → 7%

phishing click rate at the month-seven reassessment; credentials submitted: from 14% to 1.2%

4% → 38%

workforce reporting rate — the metric that genuinely protects

6/10 → 1/10

stores that gave up information or carried out actions under vishing

The epilogue came in month nine, well outside any simulation: a treasury employee received a real CEO fraud attempt. She followed the dual-channel procedure, confirmed the request was false and reported it within minutes. This time it was not luck — it was the process working exactly as it had been trained.

What made it work

  • The click rate never reaches zero: what protects the organisation is fast reporting, and that metric went from 4% to 38%.
  • Role-based training works; one-size-fits-all does not. A till operator's scenario has nothing to do with treasury's or IT's.
  • The dual-channel procedure saves money even when the person hesitates: verification makes the call, not intuition.

Frequently asked questions

Is it legal to run social engineering tests on employees?

Yes, provided it is done under written authorisation from the company's management and with rules of engagement agreed in advance: what may be attempted, where, and how far. The design must be ethical — no individual employee is singled out — and results are handled in aggregate, by role or by site, never by name. The point is to measure the organisation, not to expose people.

Which vectors does a social engineering assessment cover?

The three real attackers use: email phishing in waves segmented by group, vishing — pretext phone calls, for instance posing as IT support — and pretext-based physical intrusion, such as turning up at an office or store as an engineer from a supplier. Testing email alone leaves out precisely the channels where many organisations are most vulnerable.

Which metric actually matters — the click rate?

The click rate never reaches zero, however much training you run. The metric that genuinely protects is the reporting rate: how many people flag something suspicious, and how quickly. A report within minutes lets you contain a campaign before it does damage. That is why the programme pairs simulations with a one-click reporting channel and one clear cultural rule: celebrate the report, never punish the click.

How often should simulations be repeated?

A one-off annual campaign barely shifts habits. What works is an ongoing programme with monthly simulations of increasing difficulty — from generic lures to tailored pretexts — measured by role and by site so reinforcement goes wherever the data points, plus a full reassessment at six to twelve months to compare against the baseline.

Related services

Do you know how your workforce would respond today?

An authorised social engineering assessment gives you the real baseline — without naming anyone — and a human risk programme turns that data into habits that stop genuine fraud.