Social Engineering

Challenges in Measuring and Enhancing Human-Centric Security Posture in the Hybrid Work Environment

With the rise in data breaches, ransomware, phishing attacks and security incidents, many companies are requesting more in-depth testing of their organisation’s overall security posture. People are often the first part of the attack chain to be exploited. They are a changeable part of the attack surface whose security status is hard to measure or mitigate with any certainty. With a large portion of the workforce now remote, these problems are compounded by employees in a hybrid work/home mindset that attackers can easily exploit.

Sapphire runs the social engineering equivalent of penetration testing to understand a person’s security status and uncover where human vulnerabilities lie. This allows senior security leaders to build a strategy relevant to the issues their specific organisation faces, whether this is education-focused, requires the deployment of additional technical measures, or both.


Specialist social engineers with an in-depth knowledge of attacker techniques test everything from buildings’ physical security to the awareness of individual employees. Sapphire goes above and beyond to replicate the exact methodologies a real social engineer would adopt, visiting premises, carrying out employee reconnaissance and working in blended teams.


Sapphire strives for tangible business outcomes, identifying targets and running attack scenarios designed to audit and simulate real-world risk


With 25 years of experience in enterprise cybersecurity, securing some of the largest companies and Government organisations in the UK, Sapphire has a wealth of experience.

Frequently Asked Questions

Social engineering is the art of manipulating human psychology for malicious gain.

Social engineering techniques come in various forms. Five common types include:

a) Phishing
Phishing is one of the most popular social engineering attacks. Phishing emails and texts trick people into revealing sensitive information, click links to malicious websites, or open malware-loaded attachments. They are still the most successful point of entry into an environment, even in targeted attacks.

b) SMishing
Similar to a Phising email, SMishing is where an attacker will use a SMS/text message to target an individual. The message would have malicious content.

c) Physical
This type of social engineering comprises of an attacker gaining access to buildings, shoulder surfing and tailgating. Once inside they can attempt to access restricted areas or target employees with further social engineering techniques.

d) Open Source Intelligence (OSINT)
Using information that is readily available on the Internet allows an attacker to develop tailored social engineering attacks focusing on high profile targets.

e) Pretexting
Pretexting is a social engineering attack whereby the attackers create a series of cleverly crafted lies or a fabricated scenario to obtain information. The scam is usually initiated by the attacker pretending to be a person with a level of trust, such as an HR or finance representative, needing sensitive details from a victim to confirm their identity which is then used for follow up attacks.

f) Quid Pro Quo
Quid pro quo is a social engineering attack that exploits the human tendency of reciprocity, to gain access to information. In this case, the social engineers use some reward to entice the victim to exchange their information, for example, giveaways or offers to take part in research studies.

g) Baiting
Baiting is a social engineering attack exploiting human curiosity. Physical media such as USB drives are infected with malware and left in noticeable places. The ‘bait’ will have a familiar look to it designed to tempt victims to pick it up out of curiosity and insert it into their work or home computer.

a) Use multi-factor authentication
Multi-factor authentication adds extra ‘factors’ into the security of the login process, ensuring additional protection in the event of passwords being compromised.

b) Used an advanced anti-phishing solution
Ideally, you should apply additional controls to email with progressive features such as contextual awareness and which allow for protection against Account Takeover and other phishing attacks levelled at senior team members.

c) Encourage security awareness
Security awareness training, which aims to improve levels of awareness amongst your entire staff to social engineering attacks, has proven to be very effective.