SocEng · Organizational

Social Engineering

Test employee awareness of cyber-security threats. Phishing, vishing, smishing, USB drops, and physical pretext — measured against real industry baselines and turned into targeted awareness recommendations.

People are the perimeter

Verizon's DBIR has shown the same thing year after year: the human element is involved in roughly three out of four breaches. Phishing, pretexting, and stolen credentials remain the dominant initial-access vectors — well ahead of the zero-day exploits that get the headlines. Awareness training is necessary but rarely sufficient on its own; what changes behavior is realistic, measured testing followed by targeted reinforcement.

Illumant's SocEng engagements are built around that loop — measure the real susceptibility, identify the patterns and audiences, then drive specific awareness investment that addresses them. Results feed naturally into BBPen engagements when you're ready to test end-to-end.

Techniques

Targeted phishing (spear)

Bespoke, OSINT-driven email campaigns against named individuals — typically execs, finance, IT admins, and developers. Designed to test whether your highest-value targets fall for high-effort lures.

Broad-spectrum phishing

Volume campaigns across the full workforce — credential harvesting, attachment, and link-based payloads. Produces a real susceptibility baseline you can track over time.

Vishing (voice phishing)

Pretext-based phone calls to help desk, finance, and front-line staff. Measures whether identity verification policies actually hold under social pressure.

SMS / smishing

Mobile-first attacks against the channel where users are least skeptical. Especially effective against MFA push-fatigue and account-recovery flows.

Pretext on-site

Physical visits using a worked-out cover identity — vendor, contractor, regulator, executive's assistant. Tests reception, badging, escort policy, and tailgating behavior.

USB / media drops

Branded thumb drives or QR codes left in parking lots, lobbies, and break rooms. Measures click-through and corporate AV/EDR response.

How we run it

Goal & guardrails

We agree on objectives, audience segments, opt-out groups, and what 'success' looks like. We define what we will and will not do — escalation paths, executive notification, sensitive-period blackouts.

OSINT & pretext development

Build the lures and the cover identities from public information your employees expose: LinkedIn, conference attendance, GitHub, vendor lists, SEC filings.

Campaign execution

Run the campaigns with realistic infrastructure — domain typosquats, sender reputation warming, in-the-wild lookalikes. Measure detection at every layer.

Reporting

Per-campaign metrics, per-department breakdown, comparison against industry baselines, narrative case studies of how the attacks would have escalated.

Awareness recommendations

Targeted training topics by audience, suggested phishing-button rollout, recommended help-desk verification policy changes, and a follow-up testing cadence.

What we measure

Click rate per campaign and per audience segment
Credential submission rate (when applicable)
Attachment open rate and execution rate
Reporting rate via your phishing button / mailbox
Time-to-first-report and time-to-containment by your SOC
Repeat-offender identification (with privacy considerations)
Vishing success rate by department and pretext type
Physical access success rate and time-to-discovery

Highlights

Targeted (spear) and broad-spectrum phishing campaigns
Vishing (voice phishing) campaigns
SMS / smishing campaigns
Pretext-based on-site engagements
Branded USB / media drops
Help-desk verification testing
Targeted, measurable awareness recommendations
Privacy-aware reporting for HR and legal

Pairs well with

The human-element engagements adjacent to SocEng.

PhySA

Ready to start a conversation?

Talk to a senior consultant — we'll scope an engagement that fits your environment.

Get a Quote →