What is DataComm Social Engineering?
DataComm’s Social Engineering service helps you measure and strengthen the human side of security through safe, controlled remote tests and targeted training.
We combine:
- Realistic phishing simulations (email)
- Vishing (phone-based) social engineering scenarios
- Follow-up awareness training and metrics
The goal is not to “catch people doing something wrong,” but to identify weak spots in behavior, processes, and escalation paths so you can improve them.
Why do organizations invest in social engineering?
Most successful attacks now involve people, not just technology:
- Phishing emails trick users into clicking links or opening attachments
- Fake IT support calls convince staff to share credentials or bypass controls
- Scammers manipulate staff to change payment instructions or disclose sensitive data
Even with strong firewalls and endpoint tools, a single click or conversation can:
- Expose sensitive customer or internal data
- Lead to ransomware, account takeover, or wire/ACH fraud
- Cause significant downtime, financial loss, and reputational damage
DataComm Social Engineering solutions help you:
- See how users actually respond to realistic attacks
- Validate whether policies and training are working in the real world
- Identify where procedures, approvals, and escalation need to be tightened
- Build a culture where people feel responsible and empowered to challenge suspicious activity
How DataComm Social Engineering works
We use a structured approach that’s safe, transparent to leadership, and respectful to employees, while still providing realistic remote testing.
1. Planning & rules of engagement
We start by defining:
- Objectives (e.g., measure phishing susceptibility, test help desk ID checks, validate wire-change procedures)
- In-scope user groups, locations, and communication channels
- What’s allowed and what’s explicitly off-limits (data, systems, and scenarios)
- How results will be reported and communicated to avoid a blame culture
You end up with a clear rules-of-engagement and test plan that leadership approves before testing begins.
2. Scenario & content design
We design remote-only scenarios that match your environment, such as:
- Phishing emails:
- Fake password expiration notices
- “New device sign-in” alerts
- Vendor invoice or wire instruction changes
- HR or benefits-related notifications
- Vishing calls:
- Callers posing as internal IT, support vendors, or customers
- Attempts to gain password resets, MFA codes, or sensitive information
All content uses realistic but safe templates that avoid unnecessary disruption and protect actual data.
3. Execution & monitoring
During the campaign:
- Phishing emails are sent over a defined timeframe, with links or landing pages that track clicks and submissions (no real credentials are stored).
- Vishing tests follow structured scripts and decision trees, with clear stop conditions.
We closely monitor outcomes and can pause or adjust campaigns if needed.
4. Reporting, metrics & executive summary
After the campaign, we provide:
- Overall metrics (e.g., percentage who opened, clicked, or submitted data; percentage who reported the attempt)
- Breakdown by department, role, or site where appropriate and agreed
- Examples of particularly effective or risky scenarios
- Observations on process gaps (e.g., weak identity verification on the phone, missing callbacks, or unclear escalation paths)
You receive an executive summary and detailed report that can be shared with management, IT, security, and training teams.
5. Targeted training & program improvement
Testing is most effective when paired with education. DataComm can:
- Provide just-in-time training for users who interacted with simulated attacks
- Deliver awareness sessions for staff, leadership, and high-risk groups
- Help update policies and procedures (e.g., callbacks for payment changes, verification steps for IT requests)
- Design an ongoing social engineering program with regular campaigns and improve benchmarks
The focus is on continuous improvement, not one-time “gotcha” tests.
Key capabilities of DataComm Social Engineering
- Custom phishing simulation campaigns matched to your industry, systems, and real-world attack patterns.
- Tracking of email opens, link clicks, and data entry attempts with safe, controlled landing pages.
- Immediate educational feedback delivered to users at the moment of interaction.
- Scripted vishing (phone) assessments targeting help desks, branches, and support teams.
- Evaluation of identity verification, approval workflows, and escalation procedures during phone-based scenarios.
- Clear, actionable metrics and benchmarking to track trends and measure improvement over time.
- Identification of high-risk roles, behaviors, and business processes.
- Targeted security awareness training informed directly by test results.
- Practical recommendations to strengthen procedures, approvals, and internal communication.
- Remote-only social engineering testing conducted via email and phone (no onsite or physical testing).
Note: DataComm provides remote social engineering testing only (email and phone). We do not perform onsite/physical social engineering activities.
What you get with DataComm Social Engineering Services
A typical engagement includes:
Who is DataComm Social Engineering is for?
This service is a strong fit if:
- You want to understand your real-world susceptibility to phishing and phone-based scams
- Regulators, auditors, or customers are asking about phishing tests or security awareness
- You’ve experienced a social engineering incident (fraud, credential theft, or data loss) and want to prevent a repeat
- You’re building or maturing a security awareness and training program
- Leadership wants metrics and evidence that training is working
USE CASES
Explore the Possible Applications of a Risk Assessment
Measuring phishing risk and improving training
Run an initial phishing campaign across the organization:
- Use results to target training for higher-risk teams
- Run a follow-up campaign to measure improvement and adjust content
Testing high-risk processes (wires, ACH, payments)
Design scenarios around payment or vendor change requests:
- Test whether staff verify changes using approved procedures
- Update policies and training to close identified gaps
Validating help desk and IT support processes
Conduct vishing tests against your help desk or IT support line:
- Evaluate how well staff verify caller identity and handle sensitive requests
- Improve scripts, authentication steps, and escalation paths
FREQUENTLY ASKED QUESTIONS
Common questions
Our approach is educational, not punitive. We encourage organizations to use results for training and process improvement, not discipline, except in extreme or repeated situations defined by your HR and leadership teams.
Yes. We can target or exclude groups based on your requirements, and we’ll always align with HR and leadership on scope.
If confidential or sensitive data is collected, it will be transmitted and stored in an encrypted format. Your organization will also be notified if sensitive information is improperly shared.
This service is conducted 100% remotely. All phishing and vishing simulations, analysis, and training sessions are delivered via email, phone, and online collaboration tools—no onsite or physical social engineering activities are performed.
Many organizations test at least annually, with more frequent, smaller campaigns (e.g., quarterly) to maintain awareness and track trends over time.
Next steps
To tailor DataComm Social Engineering Assessment & Training for your organization, we recommend documenting:
- Your current security awareness efforts and any past phishing tests
- High-risk processes (payments, access changes, vendor changes) you’d like to focus on
- Any upcoming audits, exams, or board discussions related to security awareness and social engineering
Ready to harden your network against active threats?
Schedule a Social Engineering strategy session with DataComm to safely test your defenses, strengthen user awareness, and reduce the risk of human-driven attacks.