← Back to services // Offensive

Social Engineering

Phishing, vishing and pretexting - the human vulnerability tested

€175 /hour CCV certified

People are the strongest and weakest link in your security. Our team tests how resilient your employees are against targeted phishing campaigns, phone manipulation (vishing) and social engineering attacks. Including awareness reporting and training sessions afterwards.

What is a social engineering test?

Social engineering is the art of manipulating people to bypass security measures. We execute targeted phishing campaigns, make vishing calls, send pretexting messages and combine techniques to measure how resilient your organisation is against human-targeted attacks.

The difference from a generic phishing platform? We build custom scenarios based on OSINT about your organisation: employee names, ongoing projects, internal processes, recent events. Our phishing emails are not recognisable as tests. They are constructed like the spear-phishing that APT groups and cybercriminals actually use.

Types of social engineering tests

  • Phishing - targeted email campaigns with custom landing pages that harvest credentials or simulate malware downloads.
  • Spear phishing - targeted attacks on specific employees (C-level, finance, IT) with personalised scenarios.
  • Vishing - by phone: calling as "IT helpdesk", "bank" or "supplier" to obtain credentials or information.
  • Smishing - via SMS/WhatsApp.
  • Pretexting - long-term trust scenario for sensitive information or actions.

Why should you get a social engineering test?

More than 90% of successful cyberattacks begin with a human action: clicking a link, opening an attachment, sharing credentials. Technical security does not help if someone opens the front door:

  • Realistic measurement: what percentage clicks? How many enter credentials? How many report it to IT?
  • Targeted awareness: results form the basis for effective, personalised training.
  • Compliance: NIS2 and ISO 27001 require demonstrable awareness of social engineering.
  • Incident response validation: how quickly are phishing emails reported? Does your reporting process work?

Our approach

Not a generic platform, but custom work. We build the campaign as if it were a real attack:

  • OSINT & target research - LinkedIn, website, job postings, news articles, social media. This forms the basis for realistic scenarios.
  • Scenario development - fake portals of suppliers, internal IT notifications, invoice emails, CEO fraud. Custom built.
  • Infrastructure - look-alike domains, SPF/DKIM matching, landing pages indistinguishable from the original.
  • Campaign execution - sending and/or vishing calls, with tracking of opens, clicks, credential entry and reporting to IT.
  • Awareness session - after the campaign we provide a session for employees: what was the attack, how do you recognise it, what do you do? No shaming, but learning.
  • Reporting - statistics per department/function, benchmarks, risk analysis and recommendations.

What does a social engineering test cost?

Our hourly rate is €175 per hour. Indications:

  • Phishing campaign (50-200 employees, with awareness session): €4,000 - €10,000
  • Multi-vector (phishing + vishing + physical): €10,000 - €20,000
Factors: test type, number of employees, degree of customisation, with/without awareness session. Fixed quote after a scoping call.

Frequently asked questions

How does your phishing test differ from a GoPhish campaign?

GoPhish delivers template campaigns. We build custom scenarios based on OSINT: look-alike domains, personalised content, landing pages indistinguishable from the real thing. The difference: our phishing is indistinguishable from a real attack. That is the point.

Can you also perform vishing (telephone social engineering)?

Yes. Vishing is often more effective than email. We call as "IT helpdesk" or "bank" and try to obtain credentials or VPN access. The results are confronting - and therefore particularly educational.

What do you do with entered credentials?

We only log that credentials were entered, not the credentials themselves. All data is stored encrypted and destroyed after project completion. GDPR-compliant. We take privacy seriously.

Isn't a phishing test bad for morale?

Not if you do it right. We emphasise that the goal is to protect the organisation, not shame individuals. The awareness session afterwards is crucial: employees learn to recognise what they missed and feel stronger as a result. We have experience with this.

Related services

// Offensive

Physical Security Assessment

Mystery visits, tailgating and badge cloning - we get inside

 // Research

Training

Security awareness and hands-on hacking

 // Offensive

Penetration Testing

CCV certified - blackbox, greybox & whitebox

Ready to test your security?

Get in touch with our team for a no-obligation conversation about your security challenges.

Get in touch