Social engineering and phishing exercises reduce the risks posed by adversaries who bypass technical safeguards by targeting people instead of systems. DotSec’s assessments show how your staff respond to realistic threats such as phishing, smishing and vishing, and whether your controls and awareness programs perform as expected.
We design tailored campaigns that reflect current attacker techniques, including MFA-resistant phishing, and we measure real behaviours such as link-clicks, credential submission, reporting rates and authentication failures. As a result, you receive a clear, evidence-based view of your organisation’s resilience, along with guidance to improve training, processes and controls.
Social engineering is the modern word for an old concept: a con. Attackers target broad groups or specific individuals and try to trick the victim into revealing information, granting access, approving transactions or taking an action that benefits the attacker.
A social engineering test helps users remember their role in protecting the organisation and verifies the effectiveness of controls such as security-awareness training and incident reporting.
DotSec’s tests mimic real attacker behaviour, potentially including:
Social engineering tests benefit your business in many ways:
Tests also support compliance with ISO/IEC 27001, PCI DSS and the Australian Information Security Manual by demonstrating that personnel awareness and response capability are monitored and improved.
We’ll use phishing tests as the example social engineering exercise here but the processes for other social engineering tests (smishing, vishing, etc.) are all similar, with minor changes to delivery mechanisms and associated details.
Whichever social engineering test you choose, dotSec handles the technical and content side of the phishing exercise. You just provide a little help to make sure the test lands properly and delivers meaningful results.
We’ll begin with a short scoping session to understand your environment, training goals and user base.
If you already run security-awareness training, we’ll align our phishing content so it reinforces what your staff have learned.
We’ll also review your MFA setup to understand what an attacker would need to do to bypass it. These are the same techniques used in real-world breaches, and simulating them gives you a much clearer view of your actual exposure.
Our phishing templates are never random. We select or customise each one to match your organisation, industry and threat profile.
The final templates, agreed with you in advance, may include fake HR announcements, supplier-themed messages or login pages that closely mimic your real authentication flow.
To make sure the test is effective, we will work with you to:
This part of the process is not difficult and normally takes no more than a few hours of your time, spread over a day or two.
You can choose to run phishing tests across your whole organisation at once or spread them over several days. We can run them quietly or alongside internal communications, depending on how visible you want the program to be.
Each test may capture and report on:
The report will usually be provided as a PDF document, along with any supporting material that may be required.
After each test, we provide a clear report that summarises the results, identifies trends and recommends next steps. We then hold one or more follow-up meetings with your team to:
These meetings are run by DotSec’s assessors, the same people who designed and analysed your test.
As a result, you speak directly with the people who understand the details, rather than a sales or account manager.
A bad day phishing is better than a good day in the office! Let’s work together to see if users will click a suspicious link, but let’s also go further and run MFA-resistant phishing exercises, simulating phishing attacks that are (generally) capable of bypassing multi-factor authentication (MFA) protections.
We’ll utilise techniques that includes things like fake login portals that harvest session cookies, or simulated push-notification fatigue attacks that trick users into approving malicious sign-in attempts, techniques that mirror those used in real-world incidents.
Let’s go phishing!
