Client Profile
A global financial services provider operating across 40+ countries, employing over 10,000 staff with a significant online customer interface. The client manages sensitive financial data and compliance-driven operations. Following increased reports of phishing incidents and internal security lapses, the client sought to validate its human-layer defenses and organizational awareness posture through simulated social engineering assessments.
Challenges Faced
Key security concerns included:
- Frequent phishing incidents bypassing email security filters
- Low awareness among employees regarding social engineering threats
- Absence of formalized human risk assessments in the security strategy
- Compliance requirements under ISO 27001 and PCI-DSS for security awareness
Solution
COE Security implemented a tailored Social Engineering Assessment Program, combining:
- Email Phishing Simulations: Crafted and launched targeted campaigns across departments
- Phone Pretexting Engagements: Simulated vishing calls to test response protocols
- Onsite Impersonation Exercises: Validated physical access controls and visitor policies
- Executive Risk Briefings: Shared findings and mitigation strategies with leadership
Human Behavior Testing and Awareness Impact
- Launched three tiers of phishing simulations targeting 500 employees
- Identified a 23% click rate and 8% credential submission rate during initial tests
- Delivered customized training to departments with high susceptibility
- Conducted stealth physical access tests at two global offices
- Reported multiple tailgating and badge-sharing incidents during site visits
Governance, Policy, and Readiness Enhancements
- Integrated human-layer risk scoring into overall risk register
- Developed role-based training modules aligned with ISO 27001 A.7.2.2 controls
- Implemented quarterly phishing simulation policy across business units
- Formalized an executive mandate for social engineering awareness
COE Social Engineering Services Portfolio
- Phishing Simulation Campaigns
- Spear Phishing (Executive Targeting)
- Vishing (Voice-Based Pretexting)
- Smishing (SMS-Based Attacks)
- Impersonation and Physical Breach Testing
- Red Team Social Engineering Engagements
- Security Awareness Training and Gamification
- Role-Based User Risk Profiling
- Human-Centric Threat Modeling
- Compliance-Aligned Awareness Dashboards
Implementation Details
- Deployed phishing simulators with real-time reporting dashboards
- Integrated awareness modules into client’s LMS and HR systems
- Conducted pre/post assessments to measure training effectiveness
- Documented findings with evidence-backed risk heatmaps
- Shared monthly executive summaries and compliance reports
Results Achieved
- Decrease in phishing click rate from 23% to 5% over 60 days
- Achieved 100% participation in awareness training within 30 days
- Closed 5 critical control gaps across HR and physical security policies
- Improved organization’s Human Risk Maturity score from Level 1 to Level 3
Client Testimonial
“COE Security helped us see where our real risks lie – people. Their approach to social engineering was eye-opening, actionable, and incredibly well-executed. Today, we’re a much harder target.”