Emerging threats
Any channel of communication can be exploited by threat actors
The weakest link when it comes to security? Human error. Threat actors leverage this using social engineering techniques because it exploits real-world trust and authority, tricking humans into revealing sensitive information about themselves, your clients, or your organisation.
With a strong focus on technology in today’s digital world, the human element of digital threat is often overlooked. Crowdstrike’s 2024 annual global threat report revealed a 442% increase in voice phishing between the first and second half of 2024, highlighting that as technical defences get stronger, threat actors are increasingly targeting human vulnerability, made significantly easier by developments in AI.
Critically, any channel of communication can be exploited to get someone to reveal sensitive information, it’s not just emails.
The reality is that social engineering is much broader than a single type of attack, and only testing for what is ‘commonly done’ means leaving ourselves exposed to evolving, sophisticated threats.
So, what exactly is social engineering?
Social engineering is a psychological manipulation technique used by threat actors to trick individuals—through a range of communication channels—into revealing confidential information or granting access to secure systems. It exploits human behaviour by leveraging fear, urgency, or authority to trick individuals into compromising security.
Social engineering techniques are commonly used by attackers because it’s low-risk and high-reward. It requires very little technical skill and they can target large groups of individuals with minimal effort.
Attack techniques have grown increasingly sophisticated with the advancements of modern technology such as AI, making attempts significantly harder to detect, and more likely to succeed.
Trending social engineering techniques threatening organisations today:
- Phishing: Emails or messages that trick individuals into revealing sensitive information or clicking malicious links
- Voice phishing (vishing): Fraudulent phone calls where attackers impersonate trusted figures to extract confidential data
- Deepfake video and voice calls: AI-powered impersonations of trusted or authoritative figures to extract confidential data or gain access to secure environments
- Supply chain attacks: Exploiting trusted third-party vendors or partners to gain indirect access to target organisations
- Onboarding attacks: Attempts to trick hiring managers into recruiting threat actors using AI-driven video and language tools to gain inside access.
Through just a few well-crafted interactions, attackers can steal valuable information, sensitive data, login credentials or even access to critical systems.
How we strengthen your defences
Understanding the risks posed by social engineering is an important first step. To effectively defend your organisation against social engineering attacks, it’s essential to adopt a proactive strategy that targets both the human and technical vulnerabilities exploited by attackers.
Our approach combines customised training, realistic attack simulations, and technical security testing to help strengthen your defences and minimise the likelihood of successful social engineering attacks.
Whether you need a basic assessment, an in-depth evaluation, or employee training, we tailor our approach to align with your specific business objectives and risk appetite.
We work closely with our clients to develop training based on their unique vulnerabilities to ensure the content is relevant and contextual for employees, so they can better recognise and respond to threats.
Using OSINT (Open-Source Intelligence), and our in-depth expertise of how threat actors think, we gather valuable insights to inform our strategy, ensuring our testing is realistic and impactful.
Our process
Our holistic approach examines behaviour of individuals, beyond simple phishing emails.
By analysing how employees respond across different communication channels, we can uncover vulnerabilities that traditional phishing assessments often overlook. This insight ensures that even the most vigilant individuals are accounted for, and systemic issues are addressed.
Information gathering
We start by collecting publicly available information about your organisation and employees, using OSINT, simulating the methods real-world threat actors use to identify potential vulnerabilities.
Delivery & testing
Based on your unique business requirements, we design and deliver social engineering scenarios that range in complexity:
- Basic delivery: General templates and approaches to test employee responses.
- Advanced scenarios: Custom-designed campaigns that mimic sophisticated threat actor tactics in line with today’s rapidly evolving threat landscape.
Analysis
Beyond assessing who clicked a link, we analyse what employees reveal during testing. Are they unknowingly sharing sensitive information or data?
This deeper insight allows us to evaluate risks more comprehensively for effective remediation.
Reporting
You’ll receive detailed reports, including quantified results*, with categorised statistics, such as:
- Failures and passes.
- Short and long-term trends
- Insights into potential weaknesses in existing training programs.
- Behaviour monitoring.
*where applicable to the engagement
Training and remediation
We don’t stop at identifying weaknesses; we help you build a stronger long-term defence against threat:
- Customisable employee training: Whether you need basic social engineering training or specialised programs tailored to your identified vulnerabilities, we can work with you to develop training based on your vulnerabilities to mitigate future risks.
- Continuous improvement: We offer flexible aftercare support, from ad-hoc advice to long-term partnerships.
- Actionable insights: Our training is informed by real-world expertise, providing employees with practical knowledge of how threat actors operate and how to recognise and respond to attacks.
PGI for social engineering support
Protect your organisation from the human element of cyber threats with our expert, flexible social engineering services.
Human-led approach
We bring a human element to our evaluations, studying how real-world attackers manipulate people, rather than just exploiting systems.
Holistic insight
Our services consider a wide range of behaviours, through our knowledge and expertise, giving you a more comprehensive overview of your organisational risk.
In-depth expertise
With experience in understanding threat actor methodologies, we provide nuanced and actionable recommendations that go beyond surface-level analysis.
Digital Investigations, Cyber security and Capacity Building
Detect
We work at the cutting edge of threat detection, continually scanning the horizon for next-generation risks.
Protect
Whether you use the term cyber security, digital security, or technical security, we believe in providing simple, effective and affordable solutions that fit your requirements.
Build
Our globally trusted Build team develops long-term digital resilience for national governments, NGOs, institutions and corporates.