Test your team’s resilience to phishing and social engineering
Controlled phishing campaigns, vishing, smishing, BEC and physical social engineering tests — realistically measuring the resilience of your people and processes. Compliant with NIS2, DORA, ISO 27001.
Every way attackers try to deceive your employees
From classic email phishing to deepfake vishing and quishing — VIPentest simulates every vector used by real-world adversaries today. Every scenario maps to a specific MITRE ATT&CK technique.
Mass Phishing (email)
Realistic email campaigns to the entire organisation — fake M365, Google Workspace, banking, courier, and HR notifications. We measure click rate, submit rate, and time-to-report.
Spear Phishing and Whaling
Targeted attacks against CFO, CEO, finance, HR, and administrators. Full OSINT, personalisation based on LinkedIn, calendar, and recent media activity.
Vishing (telephone)
Simulated calls to helpdesk, reception, finance, and sales. Vendor, auditor, IT staff pretexts. Also AI voice cloning for deepfake attacks against executives.
Smishing and Messengers
SMS, WhatsApp, Signal, Microsoft Teams. Fake bank, courier, and delivery notifications, plus MFA verification requests — with rotating numbers and URL shorteners.
Business Email Compromise
CEO Fraud, fake invoice, change-of-bank-account. Forced wire transfers or payment data manipulation. Tests of Four Eyes procedures and callback approval in finance.
Physical Social Engineering
Tailgating, USB drop, impersonating cleaning crew, courier, auditor. Tests of badge policies, visitor escorting, and physical access controls.
Quishing (QR codes)
Fake QR codes placed in offices, car parks, printed correspondence, and emails. Bypasses most secure email gateways and URL scanners.
MFA Fatigue and AiTM
Push bombing, Adversary-in-the-Middle with Evilginx2, session cookie theft. Demonstrates that MFA alone is insufficient without phishing-resistant FIDO2/WebAuthn.
Pretexting
Construction of a credible scenario and persona. Calls “from the central bank”, emails from a “new cloud vendor”, messages from a “colleague in another branch” with urgent requests.
What exactly we test in a social engineering engagement
Full scope delivered according to PTES Social Engineering methodology, mapped to MITRE ATT&CK techniques in Initial Access (TA0001) and Reconnaissance (TA0043). Each module can be run individually or as part of a coherent blended campaign.
Controlled, realistic email campaigns sent from dedicated VIPentest infrastructure. Brand cloning of Microsoft 365, Google Workspace, major UK and EU banks, couriers (DHL, UPS, FedEx, InPost), and internal client applications. Spam filter bypass with full legality and audit trail.
- Login portal cloning: M365, Google, Okta, Azure AD, OneLogin, ADFS, client intranet — pixel-perfect copies with valid TLS certificates
- SEG bypass: Verification of real-world performance of Microsoft Defender, Proofpoint, Mimecast, Barracuda. Identification of which phish types pass through
- Full funnel tracking: Open rate, click rate, submit rate, MFA bypass rate, attachment executions, time-to-first-click, time-to-first-report
- Real payloads: Macro documents in sandbox, OneNote / ISO / HTML smuggling, AiTM via Evilginx2 (with authorisation)
- Multilingual: English (primary), Polish, German, Ukrainian — for multicultural organisations
- Realistic branding: Typosquatted domains, IDN homograph, dedicated Let’s Encrypt certificates with OCSP stapling
Specialised campaigns against CEOs, CFOs, board members, CISOs, and personnel with critical access. APT-style adversary simulation — days of reconnaissance, hours of research per target, precise pretext. Whaling typically has a 5 to 10 times higher success rate than mass phishing, requiring a separate training programme for C-level staff.
- Deep OSINT: LinkedIn, X, conference calendars, podcasts, expert panels, financial reports, data breaches
- Pretext construction: Investor, regulator, industry journalist, headhunter, event organiser, strategic client
- Blended vector: LinkedIn message plus email plus phone plus online meeting — multi-week trust build-up
- Deepfake voice samples: Model trained on CEO public appearances and CFO vishing simulation (with consent)
- Calendar phishing: Fake Google Calendar / Outlook invitations with embedded links
- Executive coaching: Individual 1-to-1 debriefing with every board member who failed
Simulated phone attacks targeting IT helpdesk, reception, finance departments, sales, and customer hotlines. The most commonly neglected vector, despite helpdesk phone calls being the classic path to admin account password resets (Twitter 2020, MGM Resorts 2023, Cisco 2022).
- Helpdesk password reset: Attempts to force the agent into resetting admin / VIP account passwords under urgent pretext
- MFA enrolment bypass: Forcing the addition of a “new” 2FA device to the victim’s account
- Information harvest: Subtle extraction of information from reception, sales, finance — organisational schema, structure, contacts
- CallerID spoofing: Displaying internal organisation numbers or vendor numbers (legally, with consent)
- AI Voice Cloning: Simulated deepfake CFO/CEO demanding urgent wire transfer (separate module, full legal consent)
- Audit trail: Every call recorded (with consent of the campaign participant — the administrator), full transcript in report
Messengers are far less protected today than email. Smishing can have 5 to 10 times higher click rate than email phishing because the victim has no access to headers, hover previews, or sandboxes. Attackers are massively migrating to SMS, WhatsApp, and Teams.
- SMS campaigns: SMS gateways with rotating numbers (PL, UK, DE), URL shorteners, geo-fenced delivery
- WhatsApp Business: Verified business accounts with vendor/bank profiles, multimedia as bait
- Signal and Telegram: 1-to-1 phishing with fake recruiter, external project manager, business partner
- Microsoft Teams External: Using accounts from another tenant to bypass filters (Storm-0324, Storm-0539 actors)
- Push notification spam: Forcing erroneous MFA approval by flooding the employee with notifications
- Dynamic URL rotation: Links that regenerate after scanner detection, content cloaking per region/UA
BEC is the costliest cybercrime category in 2024-2026 — average loss of 137,000 USD per incident (FBI IC3). Attackers impersonate the CEO, CFO, vendor, or partner to extract a wire transfer or change account details. We test both the technical vector (spoofing) and the procedural one (Four Eyes, callback).
- CEO Fraud: Email/SMS from “CEO” during their travel — urgent request for “confidential transaction” transfer
- Change of bank account: Fake vendor email about a change in invoice payment account
- Fake invoice: Sending a fraudulent invoice during a known billing period
- Payroll diversion: “Employee” request to HR to change salary payment account number
- Conversation hijacking: Injection of a message into an existing conversation thread with a vendor (after prior compromise)
- Procedure audit: Verification of Four Eyes, callback approval, verbal verification for amounts over threshold
Physical presence at client premises is often the fastest path to data exfiltration. We test all layers of physical security — from reception through badges, visitor escorting, to clean desk policies and physical access to server rooms.
- Tailgating: Attempting to enter restricted zones behind an employee without a badge — pretext “forgot my card”, “I’m from service”
- USB drop: Leaving branded USB drives (with tracked HTA / LNK documents) in car parks, reception, kitchens
- On-site pretexting: Impersonating cleaning crew, courier, ISO auditor, air conditioning technician
- Shoulder surfing: Attempts to observe passwords, screens with sensitive data in open spaces, cafes, airports
- Clean desk audit: Verification that office spaces don’t leave passwords on sticky notes, PII documents, or keys
- Badge access bypass: RFID card cloning at 125 kHz / 13.56 MHz, NFC tests, basic lockpicking
The threat landscape evolves every quarter. VIPentest regularly updates its scenario portfolio with the latest techniques observed in real attacks on clients across the EU and US. In 2025-2026, new vectors dominate that traditional training fails to address.
- Quishing: QR codes in printed correspondence, car parks, emails — bypass SEG and URL scanners
- ClickFix / FileFix: Paste-to-run social engineering — “press Win+R and paste” message on a fake website
- Browser-in-the-Browser (BitB): Fake SSO windows rendered in iframe inside a real website
- Callback Phishing (TOAD): Email without links requesting a call to a call centre — combines email with vishing
- AiTM phishing kits: Evilginx2, Tycoon 2FA, Mamba 2FA — real demo of MFA bypass and cookie theft
- Deepfake video: Teams/Zoom meetings with deepfake CFO/CEO (Arup Group 2024 case — 25M USD loss)
The campaign alone is only a measurement — without a training programme, the click rate returns to baseline within 4-6 weeks. VIPentest delivers a comprehensive, continuous security awareness programme aligned with ISO/IEC 27001 Annex A.6.3, NIS2, and DORA requirements.
- Just-in-time training: An employee who clicked lands within seconds on a 90-second microlearning analysing that specific scenario
- Quarterly microlearning: 5-7 minute courses in EN/PL distributed via email, intranet, Microsoft Viva Learning, SAP Litmos
- Role-based training: Separate tracks for board, finance, HR, helpdesk, developers, sales
- Gamification: Anonymous departmental leaderboards, badges for correct reports, quarterly rewards
- Executive sessions: Dedicated workshops for the board — deepfake, BEC, OSINT on their own persona
- Progress dashboard: Real-time metrics for CISO, risk map per department, 12-month trend, export to compliance reports
How the campaign runs, step by step
Six-stage process aligned with PTES Social Engineering. Every stage ends with a checkpoint with the client’s designated person — full control, no surprises.
Scoping and Rules of Engagement Day 1-3
Scoping workshop with the CISO and business sponsors. We agree campaign objectives, permitted vectors (email/vishing/smishing/physical), exclusion lists (sick employees, pregnant staff, those on leave, sensitive departments), escalation channels, and emergency contact. Signing of SoW, NDA, and Letter of Authorisation.
OSINT and Reconnaissance Day 4-7
Full open-source reconnaissance — LinkedIn, corporate site, data breaches (Have I Been Pwned, BreachForums), email address formats, DNS records, deployed technologies (SPF/DKIM/DMARC, M365 vs Google, EDR), media activity of leadership, recent conferences, organisational structure. This forms the foundation for realistic pretexts.
Scenario design Day 8-10
We construct 3-5 realistic pretexts adapted to the organisation’s context — cloud vendor, tax office, courier, business partner, IT helpdesk. We create landing pages, clone brands, purchase dedicated domains (typosquatted), configure infrastructure with proper TLS, SPF, and DMARC for attack domains.
Launch and monitoring Day 11-17
Delivery in windows matched to the time zone and rhythm of the organisation — typically Tuesday through Thursday, 9:30 and 14:00. Real-time dashboard tracking opens, clicks, submitted credentials, attachment executions, time-to-report. Full readiness to immediately stop the campaign if an unforeseen situation arises.
Controlled escalation Day 18-20
Within the agreed scope — we use captured credentials to log into OWA, M365, VPN. Verification of MFA bypass via AiTM, exfiltration of sample files from OneDrive/SharePoint, lateral movement attempts in the test environment. All under active client monitoring with full audit trail.
Report, debriefing, training Day 21+
We deliver Executive Summary with metrics, results map per department (anonymous), detailed scenario walkthrough with screenshots, technical recommendations (DMARC, MFA, SEG hardening, policies), live debriefing with the board, and launch of just-in-time training for employees who failed. After 90 days — optional control campaign at 30 percent discount.
Social engineering testing required by EU and Polish regulations
Security awareness programmes and phishing resilience tests are today mandatory or strongly recommended by key regulations applicable in Poland and the European Union.
Frequently asked questions
Answers to the key questions we receive from CISOs, IT directors, and executive boards considering a social engineering testing programme.
Social engineering testing involves controlled simulations of attacks that exploit psychological manipulation rather than technical vulnerabilities. Unlike application or infrastructure penetration tests, the goal is not to exploit code but to verify the resilience of people and processes — whether an employee clicks a suspicious link, discloses a password over the phone, or lets a stranger into a restricted zone.
According to the Verizon DBIR 2024 report, over 68 percent of security breaches begin with human compromise. A social engineering test delivers real metrics on click-through rates, incident reporting time (time-to-report), verification process effectiveness, and the maturity of your security awareness programme.
VIPentest delivers campaigns across the full spectrum: email phishing (mass and targeted), spear phishing and whaling, vishing (telephone social engineering), smishing (SMS and messengers), BEC and CEO Fraud, pretexting and physical social engineering (tailgating, USB drop), quishing (QR codes), and watering hole attacks. Each vector can be deployed individually or as part of a multi-channel blended campaign.
A standard one-off phishing campaign runs 2 to 3 weeks from kick-off to final report. Week 1 — scoping, OSINT, scenario design and infrastructure setup. Week 2 — delivery and monitoring. Week 3 — analysis, reporting, debriefing, and training. The number of employees has minimal cost impact — we can test teams from 20 people (small software houses) to over 10,000 (banking groups).
The recommended model is a continuous programme with quarterly campaigns and microlearning — this 12-month model allows you to measure the resilience trend (from 25-35 percent click rate at start to under 5 percent after 4 cycles).
Yes — social engineering tests are fully legal when conducted by an authorised firm with written consent (Rules of Engagement). Before every campaign, VIPentest signs an SoW, NDA, and Letter of Authorisation defining permitted vectors, exclusion lists (sick employees, pregnant staff, sensitive departments), escalation channels, and stop procedures.
We apply the “no naming and shaming” principle — reports show aggregate statistics and never name individuals in board-facing deliverables. Individual results are used solely to direct employees to training. Testing complies with GDPR (legitimate interest of the controller — Article 6(1)(f)), Polish Labour Code, and employer internal policies.
Social engineering tests are mandatory or strongly recommended by numerous regulations: NIS2 (EU Directive 2022/2555) — awareness training for essential and important entities. DORA (EU Regulation 2022/2554) — financial sector, TLPT. KNF Recommendation D — banks, regular awareness testing. ISO/IEC 27001:2022 (Annex A.6.3) — awareness programme. PCI DSS 4.0 (req. 12.6) — awareness programmes for cardholder data access. GDPR (Article 32) — technical and organisational measures. HIPAA Security Rule — security awareness training. Many cyber insurance policies also require annual phishing campaigns.
The report contains a full set of operational and strategic metrics: click rate, submit rate, attachment open rate, report rate (a key maturity indicator), time-to-first-click, time-to-first-report, results broken down by department/location/role, effectiveness of technical defences (SPF/DKIM/DMARC, Safe Links, Defender), MFA bypass success rate, and Executive Summary with business risk and 12-month awareness programme roadmap. Reports are delivered in English and Polish, in both executive and technical versions.
We use a mix of professional and proprietary tools tailored to campaign scale: GoPhish and Evilginx2 (open-source, fully controlled), King Phisher, Modlishka (reverse proxy for MFA bypass — only with authorisation), proprietary templates, dedicated C2 infrastructure, and typosquatted domains. For vishing — VoIP with legal CallerID spoofing, Twilio. For smishing — SMS gateways with rotating numbers. Portal cloning — Social-Engineer Toolkit (SET), HTTrack, and proprietary templates for M365, Google Workspace, and Polish banks.
Cost depends on scope and vector:
- Email campaign (up to 500 employees, one scenario): 3,000 to 5,500 EUR
- Email with OSINT and 2-3 scenarios (up to 1,500 employees): 6,000 to 10,000 EUR
- Blended (email plus vishing plus smishing) for mid-sized company: 10,000 to 18,000 EUR
- APT-style (executive spear phishing plus helpdesk vishing plus physical plus lateral): 18,000 to 40,000 EUR
- Continuous 12-month programme (4 campaigns plus microlearning plus dashboard): 14,000 to 35,000 EUR/year
Every quote includes full OSINT, dedicated infrastructure, report in EN/PL, board debriefing, post-test training, 30 days of support, and follow-up control campaign at 30 percent discount after 90 days.
The global average click rate for organisations without prior training is 27 to 34 percent (KnowBe4 2024, Proofpoint State of the Phish 2024). After the first year of a programme — 13 to 18 percent, after the second year 6 to 10 percent, after the third year under 5 percent. In banks, fintech, and technology, mature organisations achieve 2 to 4 percent.
More important than click rate is the Report Rate — the percentage of employees who actively reported the phishing attempt (target: over 70 percent). Spear phishing always produces a higher click rate (60 to 80 percent in untrained populations) — this is not a programme failure but the nature of a specialised attack.
Phishing defence is a multi-layered strategy:
- Email Authentication: SPF (-all), DKIM 2048-bit, DMARC reject with RUA/RUF, BIMI
- Secure Email Gateway: Microsoft Defender for Office 365, Proofpoint TAP, Mimecast
- Endpoint: EDR (CrowdStrike, SentinelOne, Defender), DNS filtering (Umbrella, Cloudflare Gateway)
- Identity: Phishing-resistant MFA (FIDO2/WebAuthn/passkeys), Conditional Access, legacy auth blocking
- People: Awareness programme with quarterly campaigns, microlearning, Report Phish button
- Process: Callback approval for payment data changes, Four Eyes, phishing IR playbook
The full architecture aligns with MITRE D3FEND and NIST CSF 2.0.
A single campaign without a training programme delivers a marginal and short-lived drop in click rate (the “wow” effect fades after 4-6 weeks). Sustained improvement requires a continuous programme — quarterly campaigns with increasing difficulty, microlearning, educational campaigns between tests, and security culture support from leadership.
VIPentest data from 12-month programmes: average click rate reduction of 65-80 percent, report rate growth from 8 percent to 72 percent, time-to-report reduction from 47 minutes to 4 minutes. The highest effectiveness comes from “Just-in-time training” — 3-4 times more effective than a single annual compliance training.
Yes — VIPentest updates its scenario portfolio in line with current threat landscape. In 2026, standard scope includes:
- AI Voice Cloning / Deepfake Vishing — cloning of CEO/CFO voice (T1656)
- MFA Fatigue / Push Bombing — flooding employee with MFA approval requests (T1621)
- Adversary-in-the-Middle (AiTM) — Evilginx2, MFA bypass, session cookie theft
- Quishing — QR codes in offices, car parks, emails
- Callback Phishing (TOAD) — emails without links forcing a callback
- Microsoft Teams External phishing — using accounts from another tenant
- Browser-in-the-Browser (BitB) — fake SSO windows in iframe
- ClickFix / FileFix — paste-to-run social engineering
Ready to test your team’s resilience?
Get in touch for a free scoping consultation. Our experts will help you design the optimal phishing campaign and security awareness programme scope for your organisation.
