CREST-Certified Phishing Assessment and Social Engineering for UK Businesses
Phishing assessment goes beyond annual click-rate metrics. We deliver realistic adversary-mode phishing campaigns: AI-generated lures, MFA-fatigue testing, OAuth phishing, vishing, smishing, and physical pretext attacks. CREST methodology, sector-specific TTPs, executive-tier scope.
Click-rate metrics measure awareness. Adversary-mode phishing measures resilience.
Most “phishing assessments” send a templated email, count clicks, and produce a percentage. That’s awareness training, not security testing. It doesn’t reveal whether your MFA holds up against real OAuth-consent phishing, whether your SOC catches a vishing-driven help-desk handover, or whether a sector-targeted lure compromises your finance team.
Our phishing assessment runs adversary-mode campaigns: AI-generated lures based on current threat-actor TTPs, MFA-fatigue testing, OAuth-consent phishing for cloud account compromise, vishing (voice phishing) of help-desk and finance, smishing (SMS phishing) targeting executives, and where authorised, physical pretext attacks. Reports satisfy ISO 27001 A.6.3 awareness-training requirements, FCA Operational Resilience scenario evidence, and provide CISO-ready findings on cultural and process gaps.
12 PHISHING ATTACK VECTORS
What We Test in Phishing Assessment
Multi-channel adversary mode. Modern TTPs. Sector-specific lure design.
Email Phishing
Targeted spear-phishing with sector-aware lures. Domain spoof / look-alike. Payload, credential harvest, or pretext-only.
OAuth Consent Phishing
Modern cloud account takeover via fraudulent OAuth consent. Bypasses MFA. Targets Microsoft 365 / Google Workspace.
MFA Fatigue
Repeated MFA push notifications until user accepts. Tests SOC alerting and user awareness of MFA bombing patterns.
Vishing (Voice)
Help-desk impersonation, finance-team payment-fraud calls, IT-team password-reset requests. Pretext, recorded if authorised.
Smishing (SMS)
Executive SMS phishing, mobile MFA reset attempts, banking-style mobile lures. Particularly effective against C-suite.
Physical Pretext
Office tailgating, USB drop, courier impersonation, RFID badge cloning, dropbox device deployment. Authorised in writing.
Whaling / BEC
Business Email Compromise targeting CFO, finance team, treasury. Wire-fraud lure design, supplier impersonation, M&A pretexts.
AI-Generated Lures
LLM-generated phishing lures matching real adversary writing style. Tests resilience against polished modern phishing not flagged by basic filters.
Domain Spoofing & Lookalike
Typosquat domain registration, IDN homoglyph attacks, look-alike Microsoft / Google portals, email-spoofing without DKIM/DMARC.
Adversary-in-the-Middle (AitM)
Evilginx-style AitM attacks against MFA. Captures session tokens. Bypasses TOTP / push MFA. Defeats by FIDO2 / hardware keys only.
Supply Chain Phishing
Pretexts simulating compromised suppliers, M&A counterparties, regulators. Tests cross-organisational trust assumptions.
SOC Detection Validation
Coordinates campaign with your SOC for blue-team measurement. SOC alerts, ticket queue, response time, communication-cascade quality.
FOUR-PHASE METHODOLOGY
Phishing Assessment — From Threat Profile to Cultural Insight
Sector-aware threat profiling. Multi-channel campaign delivery. SOC-coordinated for blue-team measurement.
Threat Profile
Lure Development
Campaign Execution
Report & Briefing
Verified Accreditations Auditors Accept
Every accreditation independently issued by a recognised UK certification body. Click CREST to verify our membership.
COMPLIANCE READY
Phishing Assessment Reports Mapped to Every Framework
Phishing assessment evidence accepted across compliance frameworks where social-engineering resilience is a control requirement.
ISO 27001 A.6.3
Awareness training and human-element control evidence. ISO 27001:2022 explicitly requires periodic phishing testing.
FCA / PRA Operational Resilience
Severe-but-plausible scenario evidence including human-element failure modes. SOC detection of social-engineering attempts.
NIS2 + DORA
Essential services and financial entities — human-element resilience is part of operational risk evidence.
SOC 2 Type II
CC1.4 entity values evidence (commitment to integrity), CC2.2 communication evidence — phishing assessments support both.
Cyber Essentials
Phishing readiness exceeds CE+ baseline and supports overall cyber maturity scoring during recertification.
NCSC Phishing Resistance
Aligned to NCSC phishing-resistance guidance — particularly important for FIDO2 hardware-key adoption recommendations.
TRANSPARENT PRICING
Transparent Phishing Assessment Pricing
All tiers include sector-specific threat profiling and SOC-coordinated delivery. Price varies by scope, channel breadth, and target population.
Depends on target population
Single-channel email phishing, ≤500 targets, sector-aware lures, basic SOC coordination. Typically 2-3 week delivery.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on scope + channels
Email + vishing + smishing + OAuth phishing + MFA fatigue, ≤500 targets, full SOC coordination. Typically 3-5 week delivery.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Depends on scope + channels
All channels including physical pretext, full BEC scenarios, AitM testing, supply-chain phishing, integrated with red team or DORA TLPT cycle.
- ✓Free retests included
- ✓Free rescheduling
- ✓No cancellation fees
- ✓24-hour scope to active testing
- ✓Live findings to client portal
- ✓Executive + technical report
- ✓60-min walkthrough call
- ✓Letter of attestation
Phishing Assessment for Your Sector
Phishing TTPs vary by sector. We profile the actors targeting your industry and design campaigns matching their actual tradecraft.
Fintech
FCA-regulated firms, Open Banking, payment APIs, PCI scoping.
SaaS
Multi-tenant isolation, SSO/SAML/OIDC, customer-data perimeter, SOC 2 evidence.
Healthcare
NHS DSPT, NHS DTAC, EHR integration, telehealth, patient-data PII.
Insurance
FCA / PRA Operational Resilience, claims data, broker integrations, cyber underwriting evidence.
Law
Privileged-data confidentiality, partner-tier scrutiny, SRA Cyber Standard alignment.
Public Sector
CCS / G-Cloud framework, NCSC-aligned, SC-cleared testers available.
What You Actually Get
Five things that distinguish our service from automated scans and box-tick competitors.
What You Get From Phishing Assessment
AI-Aware Lure Design
OAuth + AitM Testing
SOC-Coordinated Metrics
UK CREST + IASME + ISO 27001 + ISO 9001
Frequently Asked
What is a phishing assessment?
A phishing assessment is a controlled simulation of phishing and social-engineering attacks against your organisation. Modern assessments go beyond email click-rate metrics to include vishing, smishing, OAuth consent phishing, MFA fatigue, and physical pretext attacks — measuring both user awareness and SOC detection.
How is your assessment different from a phishing-awareness platform?
Awareness platforms (KnowBe4, Proofpoint Security Awareness, etc.) deliver continuous low-fidelity phishing for training. Our assessment is adversary-mode: high-fidelity, sector-aware, multi-channel campaigns matching real threat-actor tradecraft. Use both — awareness platforms for ongoing training, our assessment for periodic resilience testing.
How long does a phishing assessment take?
Email-only campaign: 2-3 weeks (1 week setup, 1-2 weeks campaign). Multi-channel campaign: 3-5 weeks. Enterprise / red-team-adjunct campaign: 6-8 weeks including physical pretext component.
How much does phishing assessment cost in the UK?
Email-only £3,000-£6,000. Multi-channel (most commonly commissioned) £6,000-£15,000. Enterprise / red-team adjunct £15,000+. UK day rates for CREST + social-engineering specialists are £1,200-£1,800 per day.
Do you test MFA bypass via OAuth phishing?
Yes. OAuth consent phishing is the modern cloud account takeover vector — bypasses MFA entirely because the user grants legitimate-looking app permissions. Particularly effective against Microsoft 365 and Google Workspace tenants. Our assessment includes this if requested.
Do you test against MFA fatigue?
Yes. MFA-fatigue (push-notification spamming until the user accepts) is a real-world TTP behind the 2022 Uber breach and many subsequent incidents. We test MFA-bombing patterns, conditional-access policy effectiveness, and SOC detection of unusual MFA-prompt volume.
Do you do vishing (voice phishing)?
Yes. Vishing is particularly effective against help-desks, finance teams, and executive assistants. We deliver vishing as part of multi-channel campaigns — pretext development, recorded calls (where authorised), and post-campaign analysis of phone-handling resilience.
Do you do physical pretext attacks?
Yes — with extensive written authorisation. Physical pretexts include tailgating, USB drops, courier impersonation, RFID badge cloning, and dropbox-device deployment. Always paired with a “get-out-of-jail” letter for operators and pre-approved time windows.
Will phishing assessment damage employee trust?
No, when delivered well. We coordinate closely with HR and internal-comms teams. Post-assessment communications focus on collective improvement, not individual blame. Many of our clients see improved employee engagement on security topics after assessment.
Will assessments trigger our SOC?
Yes — by design. We coordinate with your SOC team to measure detection latency, triage quality, and communication cascade. SOC blue-team metrics are as important as user-side click-rate metrics. Some clients run “blind” SOC scenarios where the SOC team isn’t pre-warned.
Are your operators UK-based?
Yes, primarily UK-based with some international reach for specific language / regional coverage. SC-cleared operators are available for public-sector and regulated-financial engagements where vetting is required.
Do you sign NDAs?
Yes. Standard NDA before any threat-profile or target-list discussion. We operate under a project-specific master agreement that includes target-list IP protection, post-engagement data destruction, and white-team confidentiality.
Book a Phishing Assessment Scoping Call
30 minutes with a CREST + social-engineering specialist. Sector-specific quote within 24 hours. No sales pipeline.
