What exactly is social engineering?

Social engineering targets human behaviour to bypass security controls and gain access to sensitive information, credentials or systems.

These attacks are so common because they use deception rather than technical exploits, meaning they can succeed even when organisations have strong technical security controls in place.

Modern attacks have become sophisticated, especially with the use of AI, making attempts harder to detect and more likely to result in breaches and data theft.

Social engineering attacks happen across all communication channels from phishing emails and phone scams to social media, and even face-to-face.

How attackers trick employees to breach organisations

Modern social engineering attacks are designed to look and feel legitimate, which makes them difficult to recognise.

Phishing and spear phishing: Emails that seem legitimate to trick individuals into revealing sensitive information or clicking malicious links.
Voice phishing (vishing): Fraudulent phone calls where attackers impersonate trusted colleagues or suppliers.
Deepfake video and voice calls: AI-powered impersonations of executives or other trusted figures to extract confidential data or gain access to secure environments.
Supply chain attacks: Exploiting trusted third-party vendors or partners to gain indirect access to a target organisation.
Onboarding attacks: Attempts to infiltrate organisations by deceiving hiring managers using AI-driven video and language tools to gain inside access.

Through just a few well-crafted interactions, attackers can steal valuable information, sensitive data, login credentials or even access to critical systems.

Strengthening your human defences

Defending your organisation against social engineering attacks requires much more than technical controls. While firewalls and email filtering are essential, they don't prevent employees from accidentally granting access or sharing information with the wrong person.

Human defences are about policies and procedures, employee behaviours and how they respond to suspicious interactions. Training, testing and clear verification processes are key to reducing the risk of successful attacks.

Learn more about how to strengthen your human defences in our whitepaper.

Our social engineering and human risk services:

Our approach combines customised training, realistic attack simulations to test employee responses, and hands-on security testing to help reduce the likelihood and impact of successful social engineering attacks.

We work closely with our clients to design training and testing around their unique vulnerabilities, ensuring scenarios are relevant and contextual for employees, and that learning translates into effective real-world action.

We use open-source intelligence (OSINT) and our in-depth understanding of how threat actors research, plan, and execute attacks to ensure every engagement is realistic and directly aligned to your risk appetite and business objectives.

Security awareness training

We create tailored employee training programmes aligned to your organisation’s specific risk profile
We conduct role-based and scenario-driven learning to improve real-world decision-making
We provide practical guidance that translates directly into employee behavioural change

Social engineering campaigns

We conduct realistic social engineering exercises (like phishing and vishing) to test employee responses to attacks over different communication channels
We measure who responds, what information is shared, and reporting behaviour
We conduct ongoing campaigns to track improvement over time

Spear phishing assessments

We use publicly available information to create realistic phishing attacks that target specific employees
We evaluate susceptibility to personalised, high-risk email threats
If an employee falls for an attempt, we investigate underlying issues that lead to sensitive information being exposed
We provide you with actionable recommendations to improve defences in future

Physical security assessments

Our physical security assessments are focused red-team engagements that reveal how your people and processes play a role in your on-site security and where vulnerabilities may exist.

We conduct on-site access attempts to test physical security and staff vigilance
We assess how employees respond to unauthorised site access through methods like tailgating and impersonation scenarios
We run USB and removable media drop assessments to evaluate curiosity-driven risk
We can assess how employees respond if they detect a potential threat

Read more about our full physical security assessment engagements.

Social Engineering Red Teaming engagements

A holistic assessment of your people, processes, controls, and defensive capabilities
End-to-end campaigns combining digital, voice, and physical attack techniques
We use real threat actor methods and techniques targeted to your organisation

Get a quote

PGI for social engineering support

Protect your organisation from the human element of cyber threats with our expert, flexible social engineering services.

Human-led approach

We bring a human element to our evaluations, studying how real-world attackers manipulate people, rather than just exploiting systems.

Holistic insight

Our services consider a wide range of behaviours, through our knowledge and expertise, giving you a more comprehensive overview of your organisational risk.

In-depth expertise

With experience in understanding threat actor methodologies, we provide nuanced and actionable recommendations that go beyond surface-level analysis.

Get started

Other ways we can help:

Practical measures for defending your organisation against digital threats

Cyber incident preparedness and response

Reduce the impact of a cyber attack or data breach with the expertise of our Incident Response team.

Cyber security breaches are inevitable. How your organisation plans for and handles a breach is what matters. Our Incident Response and cyber security experts can help your organisation prepare for, handle, and recover from cyber incidents.

Learn more

Technical security testing

Identify the digital security vulnerabilities in your organisation.

Over the last decade, our team of technical security experts (the Red Team) have helped hundreds of companies assess and remediate security vulnerabilities – both technical and human. With our expertise and support you will gain a better understanding of the risks facing your organisation and how you can decrease the likelihood of an attack.

Learn more

Information Assurance

PGI’s Information Assurance consultants support our clients in ensuring the confidentiality, integrity and availability of their information.

From Identity and Access Management to supply chain security, our Information Assurance consultants work with you to achieve compliance with information security frameworks that address the challenges of securing information, including ISO 27001, PCI DSS, GDPR/DPA, NISD and more.

Learn more

Emerging threats

Cyber security

Online platforms

Insights

About us

Human-led approach

Holistic insight

In-depth expertise

Cyber incident preparedness and response

Technical security testing

Information Assurance

Have a question or need support?

We've encountered an error

How can we help?

We've encountered an error

Emerging threats

Cyber security

Online platforms

Insights

About us

What exactly is social engineering?

How attackers trick employees to breach organisations

Through just a few well-crafted interactions, attackers can steal valuable information, sensitive data, login credentials or even access to critical systems.

Strengthening your human defences

Our social engineering and human risk services:

PGI for social engineering support

Human-led approach

Holistic insight

In-depth expertise

Other ways we can help:

Practical measures for defending your organisation against digital threats

Cyber incident preparedness and response

Digital Investigations, Cyber security and Capacity Building

Detect

Protect

Build