Do you notify staff before a phishing simulation?

For a genuine measurement, the initial campaign runs without prior warning to staff. Your IT team and relevant stakeholders are notified beforehand. Subsequent campaigns may include advance general communication about an ongoing training programme — which itself changes behaviour positively.

What happens when someone clicks?

They're redirected to a page explaining what to look for and how the phishing attempt worked. A more comprehensive awareness training module is assigned for completion. Everything is tracked and reported.

How is vishing different from a phishing simulation?

Vishing tests a different social engineering vector: voice. Many staff who wouldn't click a phishing email will give out sensitive information to an authoritative-sounding caller. Testing both gives you a complete picture of your human risk surface.

Can you test our physical security too?

Yes. Pretexting — physical social engineering — is available as part of our social engineering testing scope. This includes contractor impersonation, tailgating, USB drop testing, and clean desk compliance. It can be combined with network penetration testing or run as a standalone exercise.

Is a phishing simulation included in Fortify?

Yes. Phishing simulations are included in every Fortify engagement as part of our standard awareness programme. Standalone social engineering testing engagements are also available for organisations not on Fortify, or for clients who want a more in-depth assessment beyond the standard Fortify programme.

Security Testing · Phishing & Social Engineering

Phishing & Social Engineering Testing.

Test whether your people can be manipulated before a real attacker does. Email, phone, SMS, and physical social engineering campaigns for Australian businesses.

Your technical controls are only as strong as the humans who operate them. We test all four social engineering vectors so you get a complete picture of your human risk surface — not just an email click rate.

Scope a campaign →Attack vectors

Spear phishing campaigns

Vishing & smishing testing

Pretexting & physical testing

What's included

Everything needed for a complete campaign.

Eight components covering infrastructure, execution, measurement, and reporting. A complete social engineering engagement, not just a click test.

Campaign design

Scenarios designed around your industry, organisation structure, and the attack types most likely to target your business.

Domain infrastructure

Lookalike domain registration and credential harvesting page infrastructure set up for the engagement, then decommissioned.

Click & credential tracking

Click rates, credential capture rates, and call compliance rates tracked per user, department, and role.

Vishing scripts

Call scripts designed for your specific environment. IT helpdesk, vendor, executive assistant, and finance team scenarios.

Department-level reporting

Results broken down by department and role. Identify which groups need targeted follow-up and which are performing well.

Executive summary

Board-ready narrative explaining your human risk exposure and the remediation actions recommended.

Physical pretexting

Contractor and delivery impersonation, USB drop testing, tailgating, and clean desk compliance where in scope.

Awareness training referral

Users who fail receive targeted awareness training modules. Combined engagements available with our full training programme.

Australian-relevant lures

Generic phishing simulations using American brand names don't test your real risk. Our campaigns use Australian services and institutions your staff actually interact with.

ATO tax refund and BAS payment requests
myGov account verification and MFA reset
Australia Post and Toll parcel delivery
CommBank, ANZ, and Westpac fraud alerts
ASIC and APRA regulatory notices
ServiceNow IT helpdesk request forms

View awareness training →

What you get

Every campaign includes a detailed report with results by attack type, department, and role. Recommendations drive the training programme that follows.

Pre-campaign briefing and rules of engagement
Detailed results report within five business days
Click rate, credential capture, and call compliance data
Department and role-level breakdown
Remediation and training recommendations
Optional combined awareness training programme

What you learn

Your real human risk exposure.

Four concrete insights from every social engineering engagement. Data that drives targeted remediation rather than blanket training.

Click rates by department

Know exactly which teams are your highest-risk groups. Finance, HR, and IT helpdesk tend to be the most targeted — and the results often reflect that risk.

Attack vector susceptibility

Different teams fail different attack types. Finance staff fall for BEC scenarios. Helpdesk staff fall for credential harvesting. The data drives targeted training.

Improvement over time

Click rates tracked across campaigns. Documented improvement demonstrates the effectiveness of your awareness programme to boards, insurers, and auditors.

Remediation prioritised

Results show exactly where to focus training investment. Not a blanket programme — targeted remediation for the groups and scenarios that showed the highest failure rates.

Common questions

Social engineering testing questions answered.

Talk to a specialist →

Do you notify staff before a phishing simulation?
For a genuine measurement, the initial campaign runs without prior warning to staff. Your IT team and relevant stakeholders are notified beforehand. Subsequent campaigns may include advance general communication about an ongoing training programme — which itself changes behaviour positively.
What happens when someone clicks?
They're redirected to a page explaining what to look for and how the phishing attempt worked. A more comprehensive awareness training module is assigned for completion. Everything is tracked and reported.
How is vishing different from a phishing simulation?
Vishing tests a different social engineering vector: voice. Many staff who wouldn't click a phishing email will give out sensitive information to an authoritative-sounding caller. Testing both gives you a complete picture of your human risk surface.
Can you test our physical security too?
Yes. Pretexting — physical social engineering — is available as part of our social engineering testing scope. This includes contractor impersonation, tailgating, USB drop testing, and clean desk compliance. It can be combined with network penetration testing or run as a standalone exercise.
Is a phishing simulation included in Fortify?
Yes. Phishing simulations are included in every Fortify engagement as part of our standard awareness programme. Standalone social engineering testing engagements are also available for organisations not on Fortify, or for clients who want a more in-depth assessment beyond the standard Fortify programme.

Ready to test your people?

Find out who clicks before a real attacker does.

We scope a campaign around your industry, organisation structure, and the attack types most relevant to your business. Australian-specific lures included as standard.

Scope a campaign →