Targeted phishing
Pretext built from OSINT on your company and team. Multi-touch sequences, custom landing pages, MFA prompt bypass. The kind real attackers run.
people-targeting · 04
Test the human layer.
Phishing, vishing, and pretext campaigns against your workforce. We measure click rates, credential capture, and detection times, then turn the data into training that actually moves the next quarter's numbers.
01. in scope
What's in scope.
Campaign types we run.
Vishing (voice phishing)
Calls to your helpdesk, IT, or finance team using tailored pretext. Common targets: password reset, MFA reset, vendor invoice change.
Smishing (SMS phishing)
SMS-based campaigns testing mobile-first workforces. Often combined with vishing as a two-channel pretext.
USB drop and physical pretext
On request. Devices left in parking lots, mailrooms, or shared spaces; pretext visits to reception. Legal coverage required.
Tailored executive (whaling)
Pretext aimed at the C-suite or board. Higher difficulty, higher payoff for adversaries. Usually paired with vishing of the exec assistant.
Helpdesk social engineering
Account takeover attempts against your IT support workflow. This is where most modern intrusions actually start.
02. how we work
How we work on it.
How a social-engineering engagement runs.
- Scoping call60 minutes. We agree the channels, the target groups, the depth of pretext, and the rules of engagement. Legal sign-off documented.
- ReconnaissanceOSINT on the org and the named target groups. Pretext development. You do not see this phase.
- Active campaignTwo to six weeks. Multiple touches per target. Metrics captured at every step: delivered, opened, clicked, entered credentials, reported, detected.
- Debrief and metrics reportAnonymized to protect individuals; broken out by team, role, and channel. Comparison against industry benchmarks.
- Training and improvement planWhat to train, who to train, and what process changes would catch the techniques we used.
03. deliverables
What you walk away with.
What you get back.
Campaign metrics report
By cohort: open rate, click rate, credential entry, MFA bypass success, report rate, time to detection. Industry benchmarks included.
Pretext catalog
Every pretext we used, with screenshots, copy, and call scripts. Use for tabletop training and detection-rule writing.
Helpdesk findings
If we ran vishing, every call transcribed and classified. Patterns the helpdesk team should learn to spot.
Detection-rule suggestions
Email-gateway rules, EDR signals, helpdesk verification checklists. Specific to the pretexts that worked.
Workforce training plan
Targeted curriculum based on what worked. We do not recommend annual click-through training.
Re-measurement
On request, a follow-up campaign 90 days post-training. The only honest way to measure whether training worked.
04. when
When teams hire us for this.
When social engineering is the right test.
Your incidents start with the helpdesk
Modern intrusions often start with a phone call, not a click. Test the call workflow before the next attacker does.
You bought new email-gateway tooling
Find out what it actually catches. The vendor demo is not the same as a real campaign against your users.
You are scaling fast
New hires onboard every week. Annual training does not catch up. Quarterly campaigns keep the baseline visible.
Insurance or regulator asks
Cyber-insurance underwriters increasingly ask for phishing test results. SOC 2 and ISO 27001 reference social-engineering testing.
05. faq
Questions before the call.
Social-engineering FAQ.
Will employees be punished for clicking?
Not by us. We deliver anonymized metrics by cohort. Whether you tie click data to individual records is your HR and legal decision; we recommend against it.
Do you collect actual credentials?
No. The pretext form captures the act of entry. The data field is discarded server-side and logged as a hashed counter.
Can you test our SOC, not just users?
Yes. Social engineering campaigns produce detection signal. We compare what should have alerted against what your SOC saw.
What about legal sign-off?
Required before launch. We provide template authorization, but your legal team owns the final document.
How long until we can rerun?
90 days minimum. Sooner and the workforce remembers the pretext; the test no longer measures behavior change.
Want to know if training works?
Most organizations measure click rates and call it done. We measure detection and response too. 30-minute scoping call to design the campaign.