Social Engineering

Social Engineering

Why focus on the human factor?

Increasing requirements for cyber resilience (driven by regulations such as DORA and NIS2) and the growing number of attacks targeting employees clearly show that technical security alone is no longer sufficient. Today, attackers often target people rather than systems — using manipulation, credible communication, or persuasive behavior. A single inattentive click, rushed response, or trusting phone call can give an attacker access that would be difficult to obtain through purely technical means.

This is why it is essential to test employee resilience to such techniques. Simulated social engineering attacks reveal real weaknesses in the human factor, increase organizational preparedness against manipulation, and contribute to strengthening overall security resilience across the organization.


What is social engineering?

Unlike purely technical attacks, social engineering focuses on exploiting the human factor.

  • It targets employees and users rather than technologies or systems.

  • It uses psychological techniques such as manipulation, authority, time pressure, or trust building.

  • It takes place through interactions such as emails, phone calls, SMS messages, or even physical contact attempts.

  • It evaluates responses to fraudulent communication, unauthorized requests, or unexpected situations.

From a cybersecurity perspective, social engineering represents one of the most effective — and often hardest to detect — attack methods, because the attacker does not exploit vulnerabilities in code, but in human behavior.



Types of simulated social engineering attacks

Type Description Objective
Phishing campaigns Simulated mass emails that imitate common corporate or commercial communication and attempt to persuade recipients to click a link, enter credentials, or download an attachment. To verify overall employee resilience to fraudulent emails and their ability to recognize a spoofed message.
Vishing Simulated phone calls where the attacker impersonates a colleague, supplier, or technician to obtain credentials or confidential information. To test employee reactions to unexpected phone contact and verify compliance with communication and verification procedures.
Smishing Simulated fraudulent SMS messages containing links to fake login pages or requests to enter sensitive information. To assess how employees react to fraudulent messages in a mobile environment and whether they recognize manipulation attempts.
Physical testing Simulation of unauthorized attempts to enter a building to evaluate how well physical access control mechanisms work. To verify the level of physical security, staff awareness, and preparedness against manipulation techniques in real-world situations.
Baiting Placement of physical bait such as USB drives, rogue devices, or QR codes designed to trigger curiosity or trust. To test employee curiosity and habits, as well as the effectiveness of internal policies regarding external devices.

How does testing work in practice?

Phase
01
Planning and scope
  • Selection of methods and target groups.
  • Types of attacks (phishing, vishing, physical attempts) and simulation scope are defined.
  • Rules of engagement and the level of awareness of internal teams are established.
02
Scenario preparation
  • Creation of realistic materials.
  • Customized email templates, SMS messages, and call scripts are prepared.
  • Scenarios reflect the specific environment and high-risk roles within the organization.
03
Test execution
  • Launch of simulated attacks.
  • Sending phishing emails, conducting vishing calls, USB baiting, or attempting physical access.
04
Evaluation and analysis
  • Measurement and reporting of results.
  • Interaction statistics, success rate, detection by the security team, and feedback on internal processes.
05
Follow-up employee training
  • Increasing awareness and prevention.
  • Practical demonstrations of attacks, education on warning signs, recommended procedures, and Q&A for employees.

Why work with BDO?

BDO provides social engineering services aligned with the specific requirements of European regulators (e.g. ECB, EBA, ESMA) and frameworks such as NIS2 and DORA, which focus on the security of people, processes, and technologies. Our methodology combines social engineering techniques, regulatory expertise, and deep technical know-how — including scenarios that reflect sector-specific threats and digital attack patterns in the European financial environment.

  • Independence and credibility
    As an independent consulting firm, we do not provide proprietary technologies and therefore deliver truly objective assessments. Cooperation with BDO represents a clear signal of quality and credibility for regulators and clients.
  • Certified team with expert experience
    Our specialists hold certifications such as OSCP, CRTP, eCPPT, BSCP, CEH, CRT, CPSA, CISSP, CCISO and others. They have experience testing large banks, insurance companies and ICT providers.
CISO CISSP OSCP eCPPT PenTest RedTeam CEH CREST BURPSuite

Main contacts

Martin Hořický
Martin Hořický
Manager • CISO
i View bio
Marek Kovalčík
Partner
i View bio