+44 (0)20 7877 0060 contact@2-sec.com
Select Page

Social Engineering


Businesses are experiencing an increase in the number of sophisticated and sustained threats carried out by organised criminals in the UK.  This also includes the possibility of opportunistic attackers and potentially disgruntled ex-employees who are determined to ruin a company’s reputation by using your current employees to infiltrate your business systems.

The attempt to obtain valuable information such as financial data, intellectual property, research activities, and personal information for malicious reasons is known as Social Engineering. Attackers attempt to manipulate employees into performing actions or sharing valuable and often confidential information. The attacker will be trying to gain information, carry out fraud, or access a company system.

The most common type of social engineering is called a phishing attack. These attacks are increasing in their sophistication and frequency and are evolving to adopt new forms and techniques. It is important for all employees to be aware of all the current scams and tactics being used as well as existing and potential threat actors. A proven way to educate and test employees is by carrying out simulated phishing attacks. It is crucial that a company conducts a programme of security education and testing to ensure their employees are aware of phishing tactics and attack developments.



Even though organisations have installed the latest anti-malware technology and anti-virus software, a carefully crafted fake email or call will not be prevented by this technology and will allow a criminal to access your information systems and sensitive data. Attacks are driven through social interaction such as impersonation to obtain a password or further tailored interactions aimed at obtaining sensitive financial information and bank account details. Typical types of attacks include:

  1. Email phishing – an email that deceives employees into clicking a falsified link or opening document attachments which unlock access to a company network. Phishing emails have become more sophisticated, making it difficult for some people to discern a genuine request for information from a malicious one.
  2. Spear phishing – criminals gather personal information from the internet or a phone call to tailor their emails with the target’s name, position, company etc. The email is crafted to trick the recipient into believing that there is an authentic connection with the sender so that they will click a malicious URL or email attachment.
  3. Whaling and business email compromise (BEC) scams – Whaling attacks are directed specifically at senior managers. The attack is used to gain personal information, to enable criminals to create a plausible approach to key members of the management team to persuade them to click on a link in an email. If the strike proves successful, the criminal can then carry out CEO fraud, the second phase of a BEC scam, where attackers use an executive’s email to permit falsified wire transfers to their bank accounts.


Our phishing simulations will test your employee’s susceptibility to phishing attacks and enable you to take immediate action to support employee learning. It can help you to satisfy compliance and regulatory requirements and expand on future testing to employees of greatest risk. The simulation will assess an organisation’s susceptibility to social engineering attacks, whether delivered via email, social media, text message, phone calls or face-to-face. As part of the assessment, we use intelligence gathering to identify higher-risk individuals and roles and target a defined team or function within the business if this has been highlighted as a concern by the client.

Our team will provide carefully tailored phishing simulations that will mirror the current threats facing your organisation and industry. Our available simulations include:

  1. SMS Phishing – Our simulations send messages to your users’ mobile phones with links, contact numbers or messages asking them to click on links or reply with sensitive information.
  2. Corporate Phishing – We will send simulated emails that appear to come from an individual within your own organisation, usually from a person of influence, IT department, or a personal assistant. We will ensure emails are delivered in the correct format and not blocked by your email security systems. We will also direct users who interact with phishing emails to a carefully prepared simulated landing page.
  3. Board Member Phishing – We target a handful of senior individuals, in a position of influence, with bespoke messages that aim to catch board-members or non-executive directors off-guard and install malware on their devices.
  4. Ransomware Simulation – We use a simple, benign application to display a ransomware pop-up on user desktops.
  5. Personal Phishing – Our simulations use well-known brands like Amazon, Apple, eBay, Facebook, and DropBox to ask users to confirm a fake transaction, or to update their details.