What's tested
- Phishing email blast — targeted, themed (we research your business), but never sent to anyone outside your authorized employee list. Three rounds: low-effort generic, medium-effort department-targeted, high-effort impersonation of a real vendor.
- Vishing (voice phishing) — phone call from "IT support" to authorized targets only. Tests whether staff give credentials over the phone.
- Smishing — SMS phishing to authorized work numbers only. "Click here to verify your password."
- Physical tailgating attempt — one attempt to walk in behind an employee at a single entry point, holding a box / coffee tray. Testing whether staff hold the door for a stranger.
- USB drop (optional) — deliberately-dropped USB sticks in your parking lot. Test whether anyone plugs them into a work device. Stick fires a benign HTTPS callback (no payload).
The hard ethical guardrails
Critical: we never capture an actual credential. The phishing landing page collects "credential submitted: yes/no" and the username (so you can target retraining), NEVER the password. The username + a non-credential token is what hits our log. The actual password the user typed is discarded by the browser before our page receives it.
- Written authorization required — ROE document signed by the business owner / corporate officer. Phishing is not a "fast-track" engagement.
- HR notified — the engagement is disclosed to HR before launch. Click-through stats are aggregate; individual employees are NOT named in the report (you can opt-in to per-employee tracking if HR + legal say it's OK).
- Day-of pre-brief — we tell you the day the test runs, the templates we'll use, and the time window. No surprise tests of your stress-tolerance.
- Immediate retraining offered — on click, the user is redirected to a 60-second training page (not a "GOTCHA" page). Builds the security culture instead of damaging morale.
What you get
- Click-through rate per phishing template (anonymous aggregate by default).
- Credential-submission rate — how many continued past the initial click and "submitted" to the (fake) login page.
- Department breakdown — helps target retraining where it matters.
- Compare to industry baseline — small-business phishing click-through averages 25-35%; we report yours against that.
- Retraining playbook — one-page doc you can use for next year's annual security-awareness session.
Pricing
Phishing-only: from $1,200. Email + landing page, up to 50 employees, 3 templates. 2 weeks elapsed.
Phishing + vishing combo: from $1,800. Adds 5-10 vishing calls during the engagement window.
Full social-eng package: from $2,500. Phishing + vishing + smishing + 1 tailgating attempt + USB drop.