Emerging threats
What exactly is social engineering?
Social engineering is the term for when attackers manipulate people to bypass security controls and gain access to sensitive information, credentials or systems.
These attacks are so common because they use deception rather than technical exploits, meaning they can succeed even when organisations have strong technical security controls in place.
Modern social engineering attacks have become sophisticated, especially with the use of AI, making attempts harder for people to spot and more likely to result in breaches and data theft.
Social engineering can happen across almost any communication channel - from phishing emails and phone scams (calls and texts) to social media messages, and even face-to-face.
How attackers trick employees to breach organisations
Modern social engineering attacks are designed to look and feel legitimate, which makes them difficult to recognise.
- Phishing and spear phishing: Emails that seem legitimate to trick individuals into revealing sensitive information or clicking malicious links.
- Voice phishing (vishing): Fraudulent phone calls where attackers impersonate trusted colleagues or suppliers.
- Tailgating: Entering secure physical areas, like offices, often by following employees
- Pretexting: Impersonating a trusted third-party (often a contractor, auditor, or supplier) to gain access to information or a physical site.
- Deepfake video and voice calls: AI-powered impersonations of executives or other trusted figures to extract confidential data or gain access to secure environments.
- Supply chain attacks: Exploiting trusted third-party vendors or partners to gain indirect access to a target organisation.
- Onboarding attacks: Attempts to infiltrate organisations by deceiving hiring managers using AI-driven video and language tools to gain inside access.
Through even just one convincing interaction with an employee, attackers can gain easy access to your systems, data or physical sites.
PGI for social engineering support
Protect your organisation from the human element of cyber threats with our expert, flexible social engineering services.
Human-led approach
We bring a human element to our evaluations, studying how real-world attackers manipulate people, rather than just exploiting systems.
Holistic insight
Our services consider a wide range of behaviours, through our knowledge and expertise, giving you a more comprehensive overview of your organisational risk.
In-depth expertise
With experience in understanding threat actor methodologies, we provide nuanced and actionable recommendations that go beyond surface-level analysis.
Digital Investigations, Cyber security and Capacity Building
Detect
We work at the cutting edge of threat detection, continually scanning the horizon for next-generation risks.
Protect
Whether you use the term cyber security, digital security, or technical security, we believe in providing simple, effective and affordable solutions that fit your requirements.
Build
Our globally trusted Build team develops long-term digital resilience for national governments, NGOs, institutions and corporates.
Strengthening your human defences
Defending your organisation against social engineering attacks requires much more than technical controls. While firewalls and email filtering are essential, they don't prevent employees from accidentally granting access or sharing information with the wrong person.
Human defences are about policies and procedures, employee behaviours and how they respond to suspicious interactions. Training, testing and clear verification processes are key to reducing the risk of successful attacks.
Learn more about how to strengthen your human defences in our whitepaper.
Our social engineering and human risk services:
Our approach combines realistic attack simulations to test employee responses, customised training, and hands-on security testing to increase awareness and help reduce the likelihood of successful social engineering attacks.
We work closely with our clients to design training and testing around their unique vulnerabilities, ensuring scenarios are relevant and contextual for employees, and that learning translates into effective real-world action.
We use open-source intelligence (OSINT) and our in-depth understanding of how threat actors research, plan, and execute attacks to ensure every engagement is realistic and directly aligned to your risk appetite and business objectives.
Security awareness training
Social engineering campaigns
Spear phishing assessments
Physical security assessments
Our physical security assessments are focused red-team engagements that reveal how your people and processes play a role in your on-site security and where vulnerabilities may exist.
Read more about our full physical security assessment engagements.
Social Engineering Red Teaming engagements