Social Engineering Penetration Test and Assessment

Your staff members are the first line of defence against attackers. It is becoming more and more common for attackers to simply phone a company and trick a staff member into giving them access to a customer or staff account, or other valuable systems. This is known as social engineering and is becoming increasingly prevalent as an attack vector.

Get Instant Online Quote
Social Engineering Reporting Software

A Human Attack Vector

Social Engineering

Social engineering is significantly more difficult for an employee to recognise, largely due to the fact the attacker conducts extensive research in order to understand their target’s lifestyle, work environment and other background information. They will then select the attack method that will be the most likely to trick the target, such as baiting, scaremongering or establishing trust over a number of communications.

Having a specific target in mind allows the attacker to use multiple mediums, backing up requests sent over email via phone calls or text messages.

Social Engineering Penetration Testing
Social Engineering Penetration Testing

The basics

What is Social Engineering Penetration Testing?

Social engineering is a simulated attack against your staff, which takes place either over the phone, via your helpdesk solution, or via your web chat solution. The purpose of the simulation is to attempt to gain access to valid customer accounts or to trick the staff member into divulging sensitive information.

Our testers will enumerate the potential attack surface for social engineering, and carry out research into your business, the targeted staff members, and your customers prior to launching the simulated attack.

How common are social engineer attacks?

The extent of social engineer attacks in the UK?

In 2022, 39% of organisations in the UK reported having been subject to a cyberattack, and of that percentage, the vast majority (83%) mentioned phishing or social engineering as a key attack vector. Social engineering is most likely to be the method an attacker might use to gain entry to your network, according to recent statistics showing a decline in the use of ransomware in favour of phishing and social engineering.

With the average cost of an attack this year ranging from £4,500 to £19,400, protecting your organisation against dangerous social engineering attacks has never been more important.


Types of social engineering attack

What are the four types of social engineering?

There are four main types of social engineering methods that attackers commonly use:

  • Baiting - an attacker usually uses a false promise or benefit to the target to entice them via greed or curiosity. Often this comes in the form of enticing ads or items, which download malware onto the target’s computer or prompt them to enter credentials.

  • Scareware - an attacker bombards a target with fake scenarios and false alarms, often saying their device is infected with malware, in order to get the target to download rogue software (often containing malware itself).

  • Pretexting - an attacker creates a fictional scenario, often impersonating a trusted individual, in order to steal personal information or circumvent an organisation’s security procedures. Attackers here often mimic the C-suite, employees in HR or finance, the police, or the target’s bank.

  • Phishing/Spearphishing - an attacker creates an email or text message campaign designed to trick an attacker into entering credentials, opening a malicious link or downloading a malicious file. Spearphishing is a more targeted version where an attacker chooses a specific target and bases their content directly around them.

With the average cost of an attack this year ranging from £4,500 to £19,400, protecting your organisation against dangerous social engineering attacks has never been more important.

Testing Benefits

What Are The Benefits Of Social Engineering Pentesting?

As with more traditional types of security assessment, the benefit of social engineering is that it enables you to safely identify potential gaps in your security posture, and address those gaps before attackers exploit them in the real world.

Find out how well aware of potential threats your staff are and identify gaps in your processes that could allow attackers to breach your organisation via a social engineering attack.


What you will get

Your Social Engineering Penetration Test Report

The outcome of a social engineering test is typically that our testers have gained unauthorised access to one or more of your systems or applications. You will receive a report detailing the actions we took, how we gained access and what weaknesses we exploited to do so.

CREST Registered - CREST Certified

Are you CREST Certified?

OnSecurity is a CREST (Council of Registered Ethical Security Testers) approved vendor. This means that all our test methodologies, processes, policies, and procedures have been externally vetted by CREST to ensure we are operating to the highest standards possible in the pentesting industry.

On top of this, the majority of our testers are CREST certified, meaning they have been through a CREST assault course (or CREST-recognised equivalent) to ensure they have the requisite skills needed to find and exploit vulnerabilities in a safe and controlled manner.

This external validation means you can be confident your pentests are being carried out to the highest standard, by vetted and tested consultants, who use a best-in-class manual-first approach to testing.

CREST Penetration Testing Logo
Question Speech Bubble

Getting Started

Booking your Social Engineering Penetration Test

To book a social engineering test, you simply need to get in touch with our team. You can do this by calling us on +44 (0) 20 3289 6710 or email us on

Get A Quote


Our Services Area

Web Application Testing

Make sure hackers can’t steal data via your main web app, and protect your app users.

Read More

Mobile Application Testing

Android, iOS and cross platform we test them all.

Read More

Cloud Security Testing

Make sure your deployments are secure - including AWS, Azure and GCP.

Read More

External Infrastructure Testing

Test to see how your external IT perimeter would hold up against intruders.

Read More

Internal Infrastructure Testing

See what hackers can do once they are inside your network.

Read More

Phishing Simulation

32% of breaches involve phishing, test to make sure you’re not next.

Read More

Physical Penetration Testing

Office blocks, factories and power plants - if it has a door we can test it.

Read More

Social Engineering

Grabbing sensitive information over the phone or via email - you’ll be suprised what attackers can get

Read More

Need A Hand?

Get In Touch