Emerging threats
What exactly is social engineering?
Social engineering is a manipulation technique used by threat actors to trick people into revealing confidential information or granting access to secure systems. These scams are so common because they target and exploit human behaviour, rather than technical controls, by leveraging fear, urgency, or authority.
Attack techniques have grown increasingly sophisticated with the advancements of modern technology such as AI, making attempts significantly harder to detect, and more likely to succeed.
Any channel of communication can be exploited by threat actors
The weakest link when it comes to security? Human error. Threat actors leverage this using social engineering techniques because it exploits real-world trust and authority, tricking humans into revealing sensitive information about themselves, your clients, or your organisation.
With a strong focus on technology in today’s digital world, the human element of digital threat is often overlooked. Crowdstrike’s 2024 annual global threat report revealed a 442% increase in voice phishing between the first and second half of 2024, highlighting that as technical defences get stronger, threat actors are increasingly targeting human vulnerability, made significantly easier by developments in AI.
Critically, any channel of communication can be exploited to get someone to reveal sensitive information, it’s not just emails.
The reality is that social engineering is much broader than a single type of attack, and only testing for what is ‘commonly done’ means leaving ourselves exposed to evolving, sophisticated threats.
Trending social engineering techniques threatening organisations today:
- Phishing: Emails or messages that trick individuals into revealing sensitive information or clicking malicious links
- Voice phishing (vishing): Fraudulent phone calls where attackers impersonate trusted figures to extract confidential data
- Deepfake video and voice calls: AI-powered impersonations of trusted or authoritative figures to extract confidential data or gain access to secure environments
- Supply chain attacks: Exploiting trusted third-party vendors or partners to gain indirect access to target organisations
- Onboarding attacks: Attempts to trick hiring managers into recruiting threat actors using AI-driven video and language tools to gain inside access.
Through just a few well-crafted interactions, attackers can steal valuable information, sensitive data, login credentials or even access to critical systems.
How to strengthen your defences
To effectively defend your organisation against social engineering attacks, it’s essential to adopt a proactive strategy that targets both the human and technical vulnerabilities that attackers exploit.
Our social engineering and human risk services:
Our approach combines customised training, realistic attack simulations, and hands-on security testing to help reduce the likelihood and impact of successful social engineering attacks.
We work closely with our clients to design training and testing around their unique vulnerabilities, ensuring scenarios are relevant and contextual for employees, and that learning outcomes translate into real-world awareness and action.
We use open-source intelligence (OSINT) and our in-depth understanding of how threat actors research, plan, and execute attacks to ensure every engagement is informed, realistic, and directly aligned to your risk appetite and business objectives.
Security awareness training
We create tailored training programmes aligned to your organisation’s specific risks and threat profile
We conduct role-based and scenario-driven learning to improve real-world decision-making
We provide practical guidance that translates directly into employee behaviour change
Phishing simulation campaigns
We conduct realistic phishing exercises to test employee responses to malicious emails
We measure click rates, credential submission, and reporting behaviour
We conduct vishing (voice phishing) campaigns to assess how staff handle manipulation over phone calls
We conduct ongoing campaigns to track improvement over time
Spear phishing assessments
We conduct highly targeted phishing attacks based on employee roles and publicly available information
We evaluate susceptibility to personalised, high-risk email threats
We provide insight into executive, finance, and privileged-user exposure
Physical security assessments
We conduct on-site access attempts to test physical security and staff vigilance
We run tailgating and impersonation scenarios
We run USB and removable media drop assessments to evaluate curiosity-driven risk
Read more about our full physical security assessment engagements.
Social Engineering Red Teaming engagements
A holistic assessment of your people, processes, controls, and defensive capabilities
End-to-end campaigns combining digital, voice, and physical attack techniques
Designed to mirror real threat actor behaviour and attack chains
PGI for social engineering support
Protect your organisation from the human element of cyber threats with our expert, flexible social engineering services.
Human-led approach
We bring a human element to our evaluations, studying how real-world attackers manipulate people, rather than just exploiting systems.
Holistic insight
Our services consider a wide range of behaviours, through our knowledge and expertise, giving you a more comprehensive overview of your organisational risk.
In-depth expertise
With experience in understanding threat actor methodologies, we provide nuanced and actionable recommendations that go beyond surface-level analysis.
Digital Investigations, Cyber security and Capacity Building
Detect
We work at the cutting edge of threat detection, continually scanning the horizon for next-generation risks.
Protect
Whether you use the term cyber security, digital security, or technical security, we believe in providing simple, effective and affordable solutions that fit your requirements.
Build
Our globally trusted Build team develops long-term digital resilience for national governments, NGOs, institutions and corporates.