Social engineering and phishing campaigns
Your biggest weakness is not a machine.
We run controlled social engineering campaigns the way a real attacker would: spear phishing, calls, texts, pretexts and even physical intrusion. We measure the human factor and train your people.
The link nobody patches
Money goes into hardening the systems, yet the most effective attack still comes in through the person who opens the door.
The most exploited vector
The vast majority of breaches begin with a person: a convincing email, a hurried call, a well-crafted pretext. The human is the door attackers prefer.
Technology does not filter deception
Spam filters and MFA help, but a well-designed pretext goes around them. When the message looks legitimate and lands at the right moment, no tool decides for the person.
Measuring beats the classroom
A theory course is soon forgotten; a real campaign leaves a mark. Measuring what actually happens gives an honest baseline and makes the training that follows land exactly where it is needed.
How we design and run the campaign
OSINT and pretext design
Reconnaissance of public information, organisational structure and the signals an attacker would exploit, to build credible lures and pretexts tailored to your real context.
Rules of engagement sign-off
Defining and signing off scope, permitted vectors, execution windows and ethical limits with senior management: what may be simulated, against which groups and what is expressly out of bounds.
Multichannel execution
Coordinated launch of the agreed vectors: spear phishing, vishing, smishing, pretexting, email impersonation and controlled physical intrusion, always respecting the rules of engagement.
Measurement and analysis
Recording click rates, credential submission, actions taken and, crucially, the report rate. Data is aggregated by group and individual people are never named.
Report and awareness
Prioritised findings with a measurable baseline, awareness recommendations and specific training for the most exposed teams, aimed at improving the next campaign.
What you get at the end
A technical and executive report with a measurable baseline of the human factor, the vectors that worked and why, plus an awareness and training plan aimed at the most exposed teams.
- Click rates, credential submission, actions taken and reporting to the security team.
- Results aggregated by group, with no individual people named.
- Analysis of the pretexts and vectors most effective against your organisation.
- Prioritised awareness and training plan, geared towards continuous improvement.
"The figure that matters most is not how many people took the bait, but how many raised the alarm. An organisation that reports quickly is far harder to compromise than one that merely does not click."
— Offensive Security Team, Hard2bit
Vectors we simulate
A real attacker does not stick to a single channel. We reproduce the full range of techniques in use today against organisations, always within the agreed rules of engagement.
Spear phishing and bulk phishing
From a mass send with a generic lure through to a tailored email aimed at one person or one department, using look-alike domains, cloned credential-capture portals and pretexts built from genuine public information.
Vishing (phone pretext)
Calls built on a believable pretext: IT support asking someone to install something, a supplier chasing an invoice, a director in a hurry. A live voice carries a pressure that email cannot, which is exactly why it works.
Smishing (SMS and messaging)
Text and messaging-app lures that mimic banks, couriers or internal services. A phone is read with far less attention than a desktop inbox, and the shortened link hides where it really leads.
Pretexting
The invented scenario and false identity that give cover to the whole operation: who you claim to be, why you are getting in touch and what you need. It is the foundation the other vectors rest on.
QRishing and USB devices
Malicious QR codes on posters or in emails that lead to spoofed portals, and USB devices dropped in common areas (BadUSB, USB drop) that exploit curiosity to run code or steal credentials the moment they are plugged in.
Physical intrusion under pretext
Tailgating (slipping in behind an employee who holds the door), impersonating a supplier or engineer, and reaching restricted areas. Social engineering does not stop at the screen: often the real goal is to get inside the building.
Chained multichannel campaigns
Real attacks rarely rely on one vector alone. We chain techniques the way an adversary would: a text that softens the ground for a call, an email that lends credibility to an on-site visit, a phone pretext that legitimises a link. That multichannel approach is also what runs inside a full-spectrum Red Team exercise.
Ethics and rules of engagement
Simulating an attacker against your own people demands a strict ethical framework. It is non-negotiable: it defines how we work and protects both the organisation and every individual employee.
Management consent
No campaign starts without the explicit written authorisation of senior management. Objectives, scope, permitted vectors, execution windows and anything expressly off-limits are all agreed in advance.
Nobody is singled out
Employees who fall for it are neither penalised nor exposed. We do not hand over lists of names. Someone clicking on a busy Tuesday is a data point about the organisation, not a personal failing. The aim is to improve, not to find culprits.
Aggregated, anonymised data
Results are presented aggregated by department, group or campaign, never by individual. Any personal data generated during the simulation is handled with care, kept to a minimum and anonymised in the final report.
Legal and data-protection compliance
We work within the applicable legal framework and data-protection rules. The organisation's consent, the signed scope and responsible handling of information are requirements, not extras. The campaign is lawful precisely because it is run this way.
What we measure and deliver
A campaign without metrics is just an anecdote. We record objective indicators that give you an honest baseline of the human factor and let you measure the improvement in the next round.
Exposure metrics
Delivery rate, open rate and click rate on the lure, plus credential submission and execution of risky actions. The full journey, from the message arriving to someone acting on it.
Detection capability
The metric that matters most: the report rate to the security team or SOC and the time it takes to raise the alarm. An organisation that spots and reports quickly is far harder to compromise than one that merely does not click.
Report and improvement plan
An aggregated report with the baseline, the pretexts that worked and why, plus concrete awareness and follow-up training recommendations for the most exposed teams, geared towards continuous improvement.
Measurement is not the end of the project but the starting point. Ongoing awareness and sustained training are underpinned by our human-risk platform CortexShield, which turns the findings from each campaign into targeted training and a measurable security culture.
Social engineering within Red Team
For a real adversary, social engineering is rarely an end in itself: it is the way in. That is why it fits so naturally into full-spectrum exercises, where a phone pretext or a targeted email opens the door that is then exploited at a technical level.
In a Red Team exercise we chain the human factor with lateral movement, persistence and exfiltration to reproduce a complete attack and measure how your organisation actually responds, not just how your systems do.
- Social engineering as the initial access vector within a realistic adversary scenario.
- Chained with the offensive techniques of the Pentesting and Red Team pillar.
- Measurement of the full chain: from the initial click through to detection and response by the defensive team.
- A complement to ethical hacking, adding the dimension technology cannot cover: the person.
Frequently asked questions about social engineering
Is this not illegal or unfair to the staff?
Why a real campaign rather than a simple training course?
Do you name the employees who fall for it?
How long does a social engineering campaign take?
Do you include physical intrusion, such as getting into the office?
How do you measure the outcome of the campaign?
Does this train the staff or only measure them?
Where does this fit within the Hard2bit portfolio?
How would your people react today?
Request a controlled social engineering campaign and we will tell you, with evidence and within an ethical framework, how your organisation really responds to a real attack.