Social Engineering

Challenges in Measuring and Enhancing Human-Centric Security Posture in the Hybrid Work Environment

With the rise in data breaches, ransomware, phishing attacks and security incidents, many companies are requesting more in-depth testing of their organisation’s overall security posture. People are often the first part of the attack chain to be exploited. They are a changeable part of the attack surface whose security status is hard to measure or mitigate with any certainty. With a large portion of the workforce now remote, these problems are compounded by employees in a hybrid work/home mindset that attackers can easily exploit.

Sapphire runs the social engineering equivalent of penetration testing to understand a person’s security status and uncover where human vulnerabilities lie. This allows senior security leaders to build a strategy relevant to the issues their specific organisation faces, whether this is education-focused, requires the deployment of additional technical measures, or both.


Social engineer specialist with an in-depth knowledge of attacker techniques test everything from buildings’ physical security to individual employees’ awareness. Sapphire goes above and beyond to replicate the exact methodologies a real social engineer would adopt, visiting premises, carrying out employee reconnaissance, and working in blended teams.


Sapphire strives for tangible business outcomes, identifying targets and running attack scenarios designed to audit and simulate real-world risk


Sapphire has over 25 years of experience in enterprise cyber security, having secured some of the largest companies and Government organisations in the UK.

Frequently Asked Questions

Social engineering is the art of manipulating human psychology for malicious gain.

Social engineering techniques come in various forms. Five common types include:

a) Phishing
Phishing is one of the most popular social engineering attacks. Phishing emails and texts trick people into revealing sensitive information, clicking links to malicious websites, or opening malware-loaded attachments. They are still the most successful entry point into an environment, even in targeted attacks.

b) SMishing
Similar to a Phishing email, SMishing is where an attacker uses an SMS/text message to target an individual. The message would have malicious content.

c) Physical
This type of social engineering involves an attacker gaining access to buildings, shoulder surfing, and tailgating. Once inside, they can attempt to access restricted areas or target employees with further social engineering techniques.

d) Open Source Intelligence (OSINT)
Using readily available information on the Internet allows an attacker to develop tailored social engineering attacks focusing on high-profile targets.

e) Pretexting
Pretexting is a social engineering attack in which attackers create a series of cleverly crafted lies or a fabricated scenario to obtain information. The scam is usually initiated by the attacker pretending to be a person with a level of trust, such as an HR or finance representative, needing sensitive details from a victim to confirm their identity. The details are then used for follow-up attacks.

f) Quid Pro Quo
Quid pro quo is a social engineering attack that exploits the human tendency of reciprocity to gain access to information. In this case, the social engineers use some reward to entice the victim to exchange their information, such as giveaways or offers to take part in research studies.

g) Baiting
Baiting is a social engineering attack that exploits human curiosity. Physical media, such as USB drives, are infected with malware and left in noticeable places. The ‘bait’ will have a familiar look, designed to tempt victims to pick it up out of curiosity and insert it into their work or home computer.

a) Use multi-factor authentication
Multi-factor authentication adds extra security to the login process, ensuring additional protection in the event that passwords are compromised.

b) Used an advanced anti-phishing solution
Ideally, you should apply additional controls to email with progressive features such as contextual awareness, which protects against Account Takeover and other phishing attacks levelled at senior team members.

c) Encourage security awareness
Security awareness training, which aims to improve the awareness of your entire staff about social engineering attacks, has proven to be very effective.