Emerging threats
What exactly is social engineering?
Social engineering is a psychological manipulation technique used by threat actors to trick individuals—through a range of communication channels—into revealing confidential information or granting access to secure systems. It exploits human behaviour by leveraging fear, urgency, or authority to trick individuals into compromising security.
Social engineering techniques are commonly used by attackers because it’s low-risk and high-reward. It requires very little technical skill and they can target large groups of individuals with minimal effort.
Attack techniques have grown increasingly sophisticated with the advancements of modern technology such as AI, making attempts significantly harder to detect, and more likely to succeed.
Any channel of communication can be exploited by threat actors
The weakest link when it comes to security? Human error. Threat actors leverage this using social engineering techniques because it exploits real-world trust and authority, tricking humans into revealing sensitive information about themselves, your clients, or your organisation.
With a strong focus on technology in today’s digital world, the human element of digital threat is often overlooked. Crowdstrike’s 2024 annual global threat report revealed a 442% increase in voice phishing between the first and second half of 2024, highlighting that as technical defences get stronger, threat actors are increasingly targeting human vulnerability, made significantly easier by developments in AI.
Critically, any channel of communication can be exploited to get someone to reveal sensitive information, it’s not just emails.
The reality is that social engineering is much broader than a single type of attack, and only testing for what is ‘commonly done’ means leaving ourselves exposed to evolving, sophisticated threats.
Trending social engineering techniques threatening organisations today:
- Phishing: Emails or messages that trick individuals into revealing sensitive information or clicking malicious links
- Voice phishing (vishing): Fraudulent phone calls where attackers impersonate trusted figures to extract confidential data
- Deepfake video and voice calls: AI-powered impersonations of trusted or authoritative figures to extract confidential data or gain access to secure environments
- Supply chain attacks: Exploiting trusted third-party vendors or partners to gain indirect access to target organisations
- Onboarding attacks: Attempts to trick hiring managers into recruiting threat actors using AI-driven video and language tools to gain inside access.
Through just a few well-crafted interactions, attackers can steal valuable information, sensitive data, login credentials or even access to critical systems.
How we strengthen your defences
Understanding the risks posed by social engineering is an important first step. To effectively defend your organisation against social engineering attacks, it’s essential to adopt a proactive strategy that targets both the human and technical vulnerabilities that attackers exploit.
Our approach combines customised training, realistic attack simulations, and hands-on security testing to help reduce the likelihood and impact of successful social engineering attacks. This includes phishing simulations and spear-phishing assessments to test how employees respond to targeted emails; vishing exercises to assess phone-based manipulation; and physical social-engineering tests, such as site access attempts and USB or media drop assessments, to evaluate real-world behaviours.
For organisations requiring a deeper level of assurance, we deliver full social engineering red team engagements and broader digital risk assessments, designed to mirror genuine threat actor activity and provide a clear picture of organisational exposure.
We work closely with our clients to design training and testing around their specific vulnerabilities, ensuring scenarios are relevant and contextual for employees, and that learning outcomes translate into real-world awareness and action.
Using open-source intelligence (OSINT) and our in-depth understanding of how threat actors research, plan, and execute attacks, we ensure every engagement is informed, realistic, and directly aligned to your risk appetite and business objectives.
PGI for social engineering support
Protect your organisation from the human element of cyber threats with our expert, flexible social engineering services.
Human-led approach
We bring a human element to our evaluations, studying how real-world attackers manipulate people, rather than just exploiting systems.
Holistic insight
Our services consider a wide range of behaviours, through our knowledge and expertise, giving you a more comprehensive overview of your organisational risk.
In-depth expertise
With experience in understanding threat actor methodologies, we provide nuanced and actionable recommendations that go beyond surface-level analysis.
Digital Investigations, Cyber security and Capacity Building
Detect
We work at the cutting edge of threat detection, continually scanning the horizon for next-generation risks.
Protect
Whether you use the term cyber security, digital security, or technical security, we believe in providing simple, effective and affordable solutions that fit your requirements.
Build
Our globally trusted Build team develops long-term digital resilience for national governments, NGOs, institutions and corporates.