What are social engineering tests?
Social engineering is the new-age word for “con”: An attack by a fraudster that targets either broad groups or specific, high-value individuals with the goal of tricking the victim into doing something that would help the attacker gain access to or misuse information, services, financial and legal arrangements… or cash!
Social engineering tests help to educate and remind users of their role in protecting the organisation against such attacks and also help the organisation to verify the effectiveness of controls such as security-awareness and incident identification and response training. Our tests mimic real-world attack techniques including MFA-resistant phishing, credential harvesting portals, and push-notification fatigue attacks, while also covering broader vectors such as smishing (SMS-based phishing) and vishing (voice-based social engineering).
How does A social engineering test benefit your business?
Social engineering tests benefit your business by:
- Providing a practical, measurable way to verify the effectiveness of security awareness training.
- Identifying personnel security weaknesses that technical controls alone cannot address.
- Reminding users of the risks associated with social engineering, as well as their role in reducing those risks
By simulating realistic attacks, including phishing, MFA fatigue, smishing, and vishing, social engineering tests help assess how staff respond to common threat tactics and reinforce critical behaviours like prompt reporting of suspicious activity.
Your business will benefit by providing insights into user resilience that can inform targeted improvements to training programs, and by supporting compliance with frameworks such as ISO/IEC 27001, PCI DSS, and the Australian Information Security Manual.
What is a phishing exercise and where does MFA fit in?
Phishing is the most commonly encountered social-engineering attack technique, probably because it is easy and cheap to engineer at scale, and because a successful phishing attack will often result in immediate benefits (such as Business Email Compromise) for the attacker. A phishing exercise is a controlled simulation of a phishing attack, designed to test how well your staff can identify and respond to malicious emails. These simulations mimic the tactics used by real attackers such as the delivery of fake invoices, fake login prompts, and urgent requests for payment, and help uncover weaknesses in user awareness or email filtering.
At DotSec, our simulations go further. We don’t just test whether users will click a suspicious link; we also run MFA-resistant phishing exercises, simulating phishing attacks that are (generally) capable of bypassing multi-factor authentication (MFA) protections. We utilise techniques that includes things like fake login portals that harvest session cookies, or simulated push-notification fatigue attacks that trick users into approving malicious sign-in attempts, techniques that mirror those used in real-world incidents
How does dotsec run a social engineering test?
We’ll use phishing tests as the example social engineering exercise here but the processes for other social engineering tests (smishing, vishing, etc.) are all similar, with minor changes to delivery mechanisms and associated details.
Whichever social engineering test you choose, dotSec handles the technical and content side of the phishing exercise. You just provide a little help to make sure the test lands properly and delivers meaningful results.
1. Planning and customisation
We’ll start with a quick scoping session to understand your environment, training goals, and user base. If you have existing security awareness training, we’ll align our phishing content to reinforce it. We’ll also factor in your MFA setup so that we can understand what needs to be done when attempting to bypass your MFA system. These are the same tactics used in real-world breaches, and simulating them gives you a clearer picture of your actual risk.
The phishing templates we use are never random. We select or customise each one to suit your organisation, industry, and threat profile. The final templates (as agreed with you) might include fake HR notices, fake supplier emails, or login pages that mimic your real authentication flow.
2. Email delivery and setup
To make sure the test is effective, we’ll work with you to:
- Allow the simulated phishing emails through your gateway and spam filters.
- Ensure that any links in the phishing emails aren’t accidentally “clicked” by security tools before the user sees them.
- Test delivery across a handful of user accounts before launching a full campaign.
This part isn’t difficult and usually takes no more than two hours of your time, spread over a day or two.
3. Campaign execution
You can choose to run phishing tests across your whole organisation at once or stagger them over a few days. We can run them silently, or in conjunction with internal communications, depending on how visible you want the program to be. Each test may capture:
- Who received and opened the message.
- Who clicked the link or entered data.
- Who reported the message (and how).
- How long users took to respond.
4. Report and follow-up
Following each test, we’ll provide a clear report that summarises the results, identifies trends, and makes recommendations for next steps. We’ll also offer one or more follow-up meetings with your team to:
- Walk through the findings and answer any questions.
- Discuss what the results mean in the context of your business and security plans.
- Help you interpret the data and decide what to do next.
These meetings are run by dotSec’s assessors, the same people who designed and analysed your test; you’ll be talking to the people who actually know what’s going on, not a sales or account manager.
What next?
Your phishing goals may include:
- Establishing a baseline for new staff.
- Reinforcing existing training.
- Simulating modern phishing attacks that bypass MFA.
- Or just proving to the board that your awareness efforts are working.
Whatever the case, if you want to know how your organisation would respond to a real phishing attack (not just a basic “click this link” test) an MFA-resistant phishing exercise is a simple and effective way to find out.
Give us a call and let’s go phishing!