Facebook Twitter Linkedin Instagram

Social Engineering Tests – Social Engineering Attacks, Manipulation Techniques – Virtline

A social engineering test is a key component of any company’s security strategy, focusing on the most unpredictable element – the human factor. Conducting social engineering tests helps assess an organization’s resilience to manipulation techniques, including phishing and attempts to extract personal data through deceit. Each test scenario aims to identify gaps in security protocols and raise employee awareness.

Social engineering tests — controlled verification of the human layer’s resilience

According to the FBI Internet Crime Report 2024, more than 84% of attacks start with a person, not a technical vulnerability. Phishing, vishing, smishing, pretexting and physical attempts to enter a building — these are the vectors responsible today for the majority of data breaches across organisations in every sector. Awareness training builds theory. Social engineering tests verify how that theory holds up in practice.

Virtline conducts controlled, legally compliant social engineering attack simulations — from phishing campaigns through vishing and smishing, to physical pretexting and USB-drop. You measure real indicators: click-rate, submission rate and time-to-report. Instead of assumptions you get evidence: which departments and roles are most vulnerable, where investment in training will deliver the greatest return. The test result is documentary evidence for NIS2, ISO 27001 and DORA auditors.

Order social engineering tests for your organisation →

What do social engineering tests cover?

We tailor scenarios to the organisation’s specifics, risk profile and sector-specific threats. The scope includes:

 Email phishing campaigns — spear phishing, whaling, BEC (Business Email Compromise), supplier simulations.

 Vishing — phone impersonation of helpdesk, suppliers, regulatory bodies and management.

 Smishing — SMS phishing with links to fake sites or requests to submit authentication credentials.

 Pretexting — in-person interactions with employees using a prepared cover story (external auditor, technician, supplier).

 USB-drop and bait items — storage media left in the building to verify whether employees plug them in.

 OSINT — open sources — mapping publicly available information about the organisation and its employees before the simulation.

Benefits of social engineering tests

 Real vulnerability metrics — click-rate, submission rate, credentials harvesting — numbers, not opinions.

 Identification of high-risk roles — pinpointing specific departments and positions requiring priority training.

 Audit evidence — report ready to present to NIS2, ISO 27001 and DORA auditors.

 Controlled environment — the simulation carries no real risk of data loss or consequences for employees.

 Building a security culture — post-test debrief reinforces awareness far more effectively than e-learning alone.

 Measuring SAT programme ROI — comparison of test results before and after Security Awareness Training implementation.

 Sector benchmarking — your organisation’s score against industry peers based on Verizon DBIR and ENISA Threat Landscape data.

Methodology — how does a test work?

Every engagement begins with a kick-off with the client and ends with a report containing specific recommendations. A typical cycle runs 4–6 weeks.

1. Recon + OSINT (1–2 weeks) — we map the attack surface: domains, subdomains, data leaks, employee social media profiles and publicly available organisational information. The output is a target list and an initial vulnerability assessment.

2. Scenario design (1 week) — we create personalised scenarios tailored to the industry, roles and current threats (threat intelligence). Management approves the scope and scenarios before the campaign launches.

3. Campaign execution (1–2 weeks) — launching phishing waves, vishing, smishing and optionally physical pretexting. Everything is blind — employees do not know a test is in progress.

4. Analysis and report (1 week) — KPIs per department and role: click-rate, submission rate, report rate, time-to-report, repeated-clicker rate. Evidence of actions, vulnerability map, recommendations prioritised by risk.

5. Debrief + training (option) — management session reviewing results. For identified risk groups — dedicated workshops or e-learning (KnowBe4, Webroot, Misja Cyber).

KPI metrics — what do you measure?

The post-test report provides specific numbers, not opinions. We measure:

  • Click-rate — the percentage of employees who clicked on a malicious link. Industry median: 8–12% (Verizon DBIR 2024).
  • Submission rate — the percentage of employees who entered credentials on a fake site.
  • Report rate — the percentage of employees who reported a suspicious email or phone call to IT/SOC.
  • Time-to-report (TTR) — time from receiving the phish to reporting it. Key for NIS2 rapid response requirements.
  • Repeated-clicker rate — employees who clicked across multiple campaign waves — a priority group for training.
  • Department-level segmentation — results breakdown per department: finance, HR, management, IT, operations.

Social engineering tests and NIS2, ISO 27001, DORA

A growing number of regulations explicitly require testing employee awareness — not just training. A completed social engineering test with a report provides concrete evidence of meeting these requirements:

  • NIS2 Art. 21(2)(g) — obligation to implement human resource security policies, including awareness-raising and training.
  • ISO/IEC 27001:2023 A.6.3 — Information security awareness, education and training for all employees.
  • ISO/IEC 27001:2023 A.6.5, A.5.32 — Management responsibilities, testing and exercises of business continuity plans.
  • DORA Art. 13(1) — Cybersecurity training and exercises for all personnel.
  • DORA Art. 16 — Awareness-raising programmes and effectiveness testing.
  • ENISA Threat Landscape 2024 — social engineering among the top attack vectors against essential entities.
  • Verizon DBIR — 74% of incidents involve a human element, including phishing and pretexting.

Who needs social engineering tests?

Tests make sense wherever employees have access to sensitive data or critical systems. We most commonly work with organisations from the following sectors:

  • Finance and banking — BEC and whaling attacks primarily target finance departments.
  • Healthcare — patient data and systems as ransomware and phishing targets.
  • Manufacturing and industry — attacks on IT/OT boundaries, supplier impersonation.
  • Energy sector — NIS2-essential entities with employee awareness testing obligations.
  • Public administration — government agencies and local authorities subject to NIS2.
  • E-commerce and retail — payment card processing, PCI DSS requirements.
  • Law and advisory firms — corporate client data as an espionage target.
  • Logistics and supply chain — fake invoices and B2B partner impersonation.
  • Higher education — open networks, large student personal data databases.
  • Telecommunications — NIS2-essential entities with regulatory obligations.

Frequently asked questions about social engineering tests

Are social engineering tests legal?

Yes, provided certain requirements are met. A written contract with the client and explicit management approval to conduct the test are essential. All data collected (e.g. email addresses, login credentials) is deleted after the project in accordance with GDPR. Tests are conducted in accordance with the PTES (Penetration Testing Execution Standard) methodology and ethical security testing principles.

Do employees know about the tests?

As a rule, no — we conduct blind tests, which produces reliable results reflecting actual behaviour. Optionally, employees can be informed collectively after the campaign ends (without identifying specific individuals), which itself reinforces awareness. Only management and a designated contact person on the client side are aware of the tests in progress.

How much do social engineering tests cost?

Pricing depends on the number of employees covered by the campaign, the number of scenarios and the scope (email phishing only vs. phishing + vishing + physical pretexting). A typical scope for an organisation of 100–500 employees is EUR 2,000–6,000 net for a full cycle with report. For smaller organisations (up to 100 employees) the offer starts with a phishing campaign with report. We prepare a quote free of charge after a brief conversation.

How long does a full test cycle take?

From kick-off to delivery of the final report — 4–6 weeks. OSINT and recon take 1–2 weeks, scenario design 1 week, campaign 1–2 weeks, analysis and report 1 week. For a simple phishing campaign without physical pretexting, the cycle can close in 3 weeks.

Are management and senior executives included in the tests?

Yes, if management gives consent — and we recommend it. Management is a priority target in whaling attacks (BEC fraud). Results for senior executives are treated with full discretion — the executive report does not name individuals, only roles and departments.

What happens after the test?

We deliver two reports: an executive summary (for management — results and strategic recommendations, no technical detail) and a technical report (for the IT department and CISO — full data per scenario, per department, per role). Optionally we organise a debrief session with management and plan training for identified risk groups — which we can deliver independently or integrate with your existing SAT programme (KnowBe4, Webroot, Misja Cyber).

Why choose Virtline for social engineering tests

Virtline combines penetration testing experience with regulatory compliance expertise. Our social engineering tests are designed so that results reach not only the IT department, but give management the arguments needed to decide on training budgets and security culture investments.

What you get with Virtline:

 Auditors with CEH, OSCP and CISA certifications — not subcontractors.

 Strict GDPR compliance — zero retention of employee data after the test.

 Custom scenarios written for your organisation — not copy-paste templates.

 Multilingual phishing scenarios — native language and cultural context for your team’s location.

 Integration with existing SAT — KnowBe4, Webroot, Misja Cyber.

 ISO/IEC 27001:2023 certificate TÜV NORD — no. AC090 121/2469/6137/2026.

 Post-test support — training, policy updates, follow-up test planning.

 130+ clients from the financial and regulated sector in Poland.

Contact us to discuss the scope of tests tailored to your organisation, estimate the cost and plan the kick-off.

Order social engineering tests — find out which link is weakest before an attacker does.

Contact us →

 ISO/IEC 27001:2023 Certification

Virtline certified by TÜV NORD

Virtline holds the PN-EN ISO/IEC 27001:2023-08 certificate issued by TÜV NORD. Certificate number: AC090 121/2469/6137/2026, valid until 02.2029.

Talk to a Virtline expert

We will scope your project, propose an architecture and prepare a fixed quote within 5 working days. No obligations, no junior reps — you talk to engineers from day one.

Contact us →