Need help?

Social engineering and phishing exercises

Social engineering and phishing exercises reduce the risks posed by adversaries who bypass technical safeguards by targeting people instead of systems. DotSec’s assessments show how your staff respond to realistic threats such as phishing, smishing and vishing, and whether your controls and awareness programs perform as expected.

We design tailored campaigns that reflect current attacker techniques, including MFA-resistant phishing, and we measure real behaviours such as link-clicks, credential submission, reporting rates and authentication failures. As a result, you receive a clear, evidence-based view of your organisation’s resilience, along with guidance to improve training, processes and controls.

Learn more >

What is a social engineering test?

Social engineering is the modern word for an old concept: a con. Attackers target broad groups or specific individuals and try to trick the victim into revealing information, granting access, approving transactions or taking an action that benefits the attacker.

A social engineering test helps users remember their role in protecting the organisation and verifies the effectiveness of controls such as security-awareness training and incident reporting.

DotSec’s tests mimic real attacker behaviour, potentially including:

  • MFA-resistant phishing
  • Credential-harvesting portals
  • Push-notification fatigue attacks
  • Smishing (SMS-based phishing)
  • Vishing (voice-based social engineering)

How do social engineering tests help?

These exercises benefit your business by:

  • Providing a practical, measurable way to verify security-awareness training.
  • Identifying human-factor vulnerabilities that technical controls cannot address.
  • Reinforcing users’ understanding of social-engineering risks and their role in reducing them.
  • Assessing real-world responses to phishing, smishing, vishing and MFA-focused attacks.

Tests also support compliance with ISO/IEC 27001, PCI DSS and the Australian Information Security Manual by demonstrating that personnel awareness and response capability are monitored and improved.

running social engineering (phishing) tests

We’ll use phishing tests as the example social engineering exercise here but the processes for other social engineering tests (smishing, vishing, etc.) are all similar, with minor changes to delivery mechanisms and associated details.

Whichever social engineering test you choose, dotSec handles the technical and content side of the phishing exercise. You just provide a little help to make sure the test lands properly and delivers meaningful results.

Planning and customisation

We’ll begin with a short scoping session to understand your environment, training goals and user base. 

If you already run security-awareness training, we’ll align our phishing content so it reinforces what your staff have learned.

We’ll also review your MFA setup to understand what an attacker would need to do to bypass it. These are the same techniques used in real-world breaches, and simulating them gives you a much clearer view of your actual exposure.

Our phishing templates are never random. We select or customise each one to match your organisation, industry and threat profile.

The final templates, agreed with you in advance, may include fake HR announcements, supplier-themed messages or login pages that closely mimic your real authentication flow.

Learn more >

Email setup and delivery tests

To make sure the test is effective, we will work with you to:

  1. Allow the simulated phishing emails through your gateway and spam filters. There is a balance between realism and time. We can work to bypass spam filters with generally good results, but this takes more time and therefore increases cost. You decide how we balance realism and budget.
  2. Ensure that any links in the phishing emails are not accidentally clicked by security tools before users receive them.
  3. Test delivery across a small group of user accounts before launching the full campaign.

This part of the process is not difficult and normally takes no more than two hours of your time, spread over a day or two.

Learn more >

Campaign execution

You can choose to run phishing tests across your whole organisation at once or spread them over several days. We can run them quietly or alongside internal communications, depending on how visible you want the program to be.

Each test may capture and report on:

  • Who received and opened the message.
  • Who clicked the link or submitted information.
  • Who reported the message and how they did so, if this can be measured.
  • Who exposed or lost their MFA credentials.

The report will usually be provided as a PDF document, along with any supporting material that may be required.

Learn more >

Report and follow-up

After each test, we provide a clear report that summarises the results, identifies trends and recommends next steps. We then hold one or more follow-up meetings with your team to:

  1. Walk through the findings and answer questions.
  2. Explain what the results mean for your business and security plans.
  3. Help you interpret the data and decide on appropriate actions.

These meetings are run by DotSec’s assessors, the same people who designed and analysed your test. 

As a result, you speak directly with the people who understand the details, rather than a sales or account manager.

Learn more >

OUR CYBER SERVICES

ISO 27001

ISO/IEC 27001 is the internationally recognised standard for establishing, implementing, and maintaining an effective information security management system (ISMS).

Pen tests

A penetration test (pen test) is conducted by a careful, skilled assessor who, using manual and automated techniques, seeks to discover, exploit and report on vulnerabilities in the target asset(s). 

PCI DSS

DotSec is a PCI DSS-compliant service provider and PCI DSS QSA company. We have firsthand experience achieving and maintaining compliance with this demanding standard.

WAF and app-sec

Web Application Firewalls (WAFs) are critical for protecting web applications and services, by inspecting and filtering out malicious requests before they reach your web servers

Identity management

Multi-Factor Authentication (MFA) and Single Sign-On (SSO) reduce password risks, simplify access, letting verified and authorised users reach sensitive systems, services and apps.

Vulnerability management

dotSec provides comprehensive vulnerability management services. And we analyse findings in the context of your specific environment, priorities and threat landscape.

Phishing and soc eng

We don’t just test whether users will click a suspicious link — we also run exercises that  simulating phishing attacks that are capable of bypassing multi-factor authentication (MFA) protections.

SIEM and MSIEM

We investigate, triage, and validate threats, using advanced AI-enabled threat intelligence and fine-tuned detection rules to filter out noise and identify high-fidelity incidents that threaten your organisation.

Secure configuration

We provide prioritised, practical guidance on how to implement secure configurations properly. Choose from automated deployment via Intune for Windows, Ansible for Linux or Cloud Formation for AWS.

Secure cloud hosting

Secure web hosting is fundamental to protecting online assets and customer data. We have over a decade of AWS experience providing highly secure, scalable, and reliable cloud infrastructure.

Essential eight

DotSec helps organisations to benefit from the ACSC Essential Eight by assessing maturity levels, applying practical security controls, assessing compliance, and  improving resilience against attacks.

Advisory services

We have over 25 years of cyber security experience, providing practical risk-based guidance, advisory and CISO services to a wide range of public and private organisations across Australia.