Preloader
Contact Us

Address: Surry Hills NSW, Australia 2010

Hours: 9:00 - 17:30, Mon - Fri

Phone: 0409 771 748

Phishing

Service Documents

Download our phishing & social engineering policy and sample report.

Phishing Policy PDF Sample Phishing Report DOC

Get a Free Quote

Phishing & Social Engineering Services

Our Phishing & Social Engineering services simulate real-world attack techniques to test your organisation’s human defenses. By crafting targeted phishing emails, vishing calls, and on-site social engineering scenarios, we help you identify weaknesses in user awareness and incident response processes.

We combine technical and psychological tactics—email spoofing, deceptive websites, phone-based pretexting, and physical security probes—to provide a comprehensive evaluation of your people, processes, and technology. Each engagement is tailored to your industry and threat profile, ensuring maximum relevance and actionable insights.

Our methodology aligns with industry best practices, including frameworks from SANS, NIST, and the Anti-Phishing Working Group (APWG). We deliver detailed findings, training recommendations, and remediation guidance to strengthen your security culture and reduce risk.

Phishing & Social Engineering

Phishing & Social Engineering Offerings

  • Email Phishing Simulation – Custom-crafted spear-phishing campaigns to test email filtering and user vigilance.
  • Vishing (Voice Phishing) – Phone-based social engineering to assess call-handling procedures.
  • SMiShing (SMS Phishing) – Mobile messaging attacks to evaluate employee awareness of deceptive texts.
  • Credential Harvesting Landing Pages – Fake login portals to simulate real-world phishing sites.
  • Security Awareness Training – Interactive modules and real-time feedback to reinforce best practices.
  • Policy & Procedure Review – Evaluation of existing anti-phishing policies, incident reporting workflows, and escalation paths.
  • Physical Social Engineering – On-site attempts to gain unauthorized access to facilities or sensitive information.
  • USB Drop Tests – Seeding malicious USB devices to test endpoint security and user compliance.
  • Tailgating & Impersonation – Physical entry by posing as legitimate personnel to assess access controls.
  • Red Team Integration – Collaborative scenarios combining phishing with other attack vectors.
  • Executive Impersonation – High-risk social engineering campaigns targeting leadership.
  • Post-Engagement Training Workshops – Hands-on debrief sessions to educate employees on identified weaknesses.

Engagement Phases

Our approach covers each stage of a social engineering attack:

1. Reconnaissance & Target Profiling

Gathering publicly available information and crafting realistic pretexts.

2. Attack Execution

Deploying phishing emails, vishing calls, or physical intrusion attempts to test controls.

3. Incident Response & Analysis

Monitoring user interactions, phishing click rates, and social engineering success metrics.

4. Reporting & Remediation

Comprehensive report with technical details, user behavior analysis, and training recommendations.

Key Areas of Focus

Our assessments address critical social engineering domains:

  • Email Security – Spoof detection, link analysis, attachment safety, and email filtering effectiveness.
  • User Awareness – Recognition of phishing indicators, reporting procedures, and best practices.
  • Voice Security – Phone verification processes, call-handling protocols, and caller ID validation.
  • Physical Security – Access badge enforcement, visitor sign-in protocols, and tailgating prevention.
  • Policy & Training – Existing anti-phishing policies, security awareness curriculum, and simulation frequency.
  • Technical Controls – Domain-based message authentication (DMARC), SPF, DKIM, and secure email gateways.

Methodology

  • Automated Email Campaigns – Bulk and targeted phishing templates with real-time click tracking.
  • Manual Phishing Crafting – Personalized spear-phishing messages that mimic business context.
  • Vishing Scripts & Call Flows – Pretext scripts designed to exploit common employee responses.
  • Physical Reconnaissance – Site visits to evaluate building security and employee vigilance.
  • Behavioral Analysis – Assessing how employees interact with phishing attempts and social engineering scenarios.
  • Policy Gap Analysis – Identifying weaknesses in existing policies and response procedures.
  • Training & Remediation – Customized awareness training modules based on assessment findings.
  • Metrics & Reporting – Phish success rates, user reporting rates, and remediation completion metrics.

Deliverables

Each engagement includes:

  • Executive Summary – High-level overview of social engineering risks and business impact.
  • Technical Findings – Detailed analysis of phishing emails, vishing call recordings, and physical test results.
  • User Behavior Report – Statistics on click-through rates, credential submissions, and user reporting.
  • Remediation Recommendations – Actionable steps to improve email filters, update policies, and conduct targeted training.
  • Training Toolkit – Custom phishing awareness materials, posters, and interactive training modules.
  • Retest Results – Follow-up campaigns to measure improvement and validate remediation effectiveness.

Frequently Asked Questions

We conduct email-based phishing (spear, bulk, and targeted campaigns), vishing (voice calls), and SMiShing (SMS-based). Each campaign is tailored to mimic real attacker tactics relevant to your industry.
We gather open-source intelligence, craft personalized lures, and use professional voice actors for vishing calls. Physical tests are planned with minimal prior notice to truly assess employee vigilance.
An average phishing campaign runs 2–4 weeks, including planning, execution, and reporting. Physical social engineering tests can be scheduled within a one-week window for on-site assessments.
All data is handled according to strict confidentiality and privacy policies. We purge sensitive data immediately after analysis and only share aggregated metrics in final reports.