No technical control stops
an employee who has been deceived.
Threat actors have learned that the fastest path through your defences is not through your technology — it is through your people. Social engineering, phishing and pretexting attacks specifically target the human layer because it is the one control that cannot be patched.
Phishing is the entry point for the majority of all global breaches
Phishing attacks account for over 36% of all data breaches globally — more than any other attack vector. Modern phishing campaigns are not the obvious misspelled emails of ten years ago. AI-generated spear-phishing emails are personalised using data from LinkedIn, company websites and social media. They reference real projects, real colleagues and real business contexts. They are convincing enough to fool experienced professionals.
The only defence against sophisticated phishing is a trained workforce that recognises attack patterns regardless of how convincing the email appears. Click-through rates at untrained organisations average 30-40%. Organisations with mature continuous training programmes consistently achieve sub-5% click rates — and high reporting rates where employees actively flag suspicious emails before colleagues can be targeted.
Business email compromise costs more than ransomware globally
Business email compromise — where attackers impersonate executives, suppliers or partners to redirect payments or steal sensitive information — has caused over $43 billion in losses globally since 2016, making it the highest-value cybercrime category globally. Attacks involve impersonating the CEO asking finance to wire funds urgently, impersonating a supplier requesting payment to a new account, or impersonating IT asking for system credentials.
BEC attacks specifically target employees because they are not technically exploiting a vulnerability — they are exploiting trust and authority. No technical control blocks a CFO impersonation email that uses legitimate email infrastructure. The only effective defence is a finance team trained to verify payment changes through a separate communication channel, recognise urgency pressure tactics and understand that executives never ask for wire transfers via email.
Social engineering exploits human psychology, not technology
Social engineering attacks manipulate human psychology — exploiting authority, urgency, social proof, reciprocity and fear. A caller claiming to be from IT support asking an employee to read their password reset code. A LinkedIn message from a recruitment consultant asking about internal processes. A USB drive left in a car park labelled "Payroll Q4". These attacks succeed because they exploit how humans naturally respond to social situations.
Security awareness training builds psychological resistance to these manipulation techniques. Employees who understand how authority, urgency and pretexting work are significantly harder to social engineer than those who have never encountered these concepts. Training that uses realistic simulations — including vishing calls, smishing texts and physical pretexting scenarios — builds the scepticism and verification habits that prevent social engineering attacks from succeeding.
Annual compliance training does not change behaviour.
Continuous realistic simulation does.
The research is clear. A single annual training session produces compliance completions but no measurable reduction in phishing susceptibility. Behaviour changes through repetition, relevance and consequence — not through watching a video once a year.
The platforms trusted by 65,000+
organisations worldwide.
Already using KnowBe4, Proofpoint or another platform? We can take over campaign management, content configuration and reporting — turning an underused licence into a fully operated security culture programme.
Talk to us →Every social engineering technique
attackers use against your people
Spear Phishing
Personalised emails using details from LinkedIn, company websites and previous breaches. Impersonating real colleagues, executives and trusted vendors. AI-generated content that passes grammar checks and sounds professionally authentic. The hardest phishing category to detect without training.
Smishing — SMS Phishing
Text messages impersonating delivery companies, banks, HMRC and Microsoft. Mobile users are more susceptible than desktop users — smaller screen, less context visible. Particularly effective against employees using personal phones for work communication through BYOD policies.
Vishing — Voice Phishing
Phone calls from fake IT support, senior executives and suppliers. Creates immediate time pressure that prevents employees from following verification procedures. Particularly targeted at helpdesk staff who are trained to be helpful — a trait attackers specifically exploit.
CEO and Executive Fraud
Impersonating the CEO, CFO or board members to request urgent wire transfers, gift card purchases or sensitive information. Uses spoofed email addresses, cloned voice audio and genuine business context to make requests appear credible. Finance teams are the primary target.
Malicious Links and QR Codes
Links to credential harvesting pages that replicate Microsoft 365, banking and SaaS login pages with convincing accuracy. QR codes in physical environments bypassing email security filters. Drive-by download sites that install malware on click. Shortened URLs hiding the true destination.
Malicious Attachments
Password-protected ZIP files containing malware that bypasses email scanning. Office macros requesting enable permissions. PDF files with embedded links. HTML attachments that render in browser to avoid attachment scanning. Each technique designed to bypass a specific technical control.
Live fast and zero disruption.
Running from day one.
We review your organisation — size, sectors, departments, highest risk roles and any specific concerns from previous incidents or near misses. Your training content strategy, phishing simulation schedule and role-based tracks are designed. Compliance requirements mapped to programme structure.
KnowBe4, Proofpoint or Cofense provisioned for your organisation. User accounts created via CSV or directory sync. Your email domain whitelisted in spam filters so simulations reach inboxes without interference. One-click phishing report button deployed to all employee mailboxes.
First simulated phishing campaign launched — a calibration exercise designed to establish your baseline click rate without prior warning. Results analysed by department, role and individual. Your risk profile established. High-risk departments identified for priority attention.
Role-based training tracks published to all user groups. Welcome module launched to all employees explaining the programme. First month micro-learning module deployed. Manager dashboard access configured and team leads briefed on their reporting view.
Full programme operational. Monthly simulation and training schedule confirmed. First security culture score established from baseline. Monthly reporting cadence configured. Your dedicated Octa1ne engineer presents initial findings and explains what to expect each month going forward.
Octa1ne manages the entire programme — campaign scheduling, content deployment, user management and reporting. Your team reviews the monthly security culture report and takes action on high-priority findings. No platform administration, no content creation, no scheduling. Just results.