Humans Are the Initial Access Vector

74% of breaches involve a human element — Verizon DBIR 2024

Measure What Awareness Training Actually Bought You

Almost every organization runs annual phishing training. Almost none actually know whether it works against a motivated attacker who has done their homework. Off-the-shelf phishing platforms catch only the easiest 5% of users — they don't simulate spear phishing, MFA fatigue, vishing of help desks, or pretexting against the finance team. Nomad's social engineering practice gives you ground-truth metrics by running the campaigns your awareness program is actually trying to defend against.

Senior operators with verbal-attack and pretexting backgrounds
Custom pretexts mapped to your industry, geography, and recent news
MFA-bypass and adversary-in-the-middle (AiTM) techniques where in-scope
Per-department, per-role, and per-tenure click-rate metrics
Optional handoff to a red team engagement on successful access
No-fault reporting framing so users keep telling you when they click
Social engineering simulation

Campaign Types

The full spectrum of human-attack vectors

Phishing (Email)

Broad-spectrum and targeted email campaigns: credential phishing, attachment-borne payloads, OAuth-consent phishing, and reply-chain hijacking. AiTM proxies for MFA-bypass capture on request.

Spear Phishing

Highly targeted campaigns against named individuals: executives, finance, IT admins, developers. OSINT-driven, pretext-rich, with measurable individual-vs-cohort metrics.

Vishing (Voice)

Phone-based pretexting against help desks, IT support, and finance teams. The vector behind MGM, Caesars, and Twilio breaches. We test help-desk identity-verification scripts the way real attackers do.

Smishing (SMS)

SMS-based phishing with MFA-bypass focus: fake delivery notifications, fake IT support, fake bank fraud alerts. Rising 30% year-over-year and barely covered by most awareness programs.

MFA Fatigue / Push-Bombing

Test whether your users approve unsolicited push notifications — the technique used in the Uber and Cisco breaches. Combined with vishing for a realistic adversary-in-the-middle simulation.

Physical & In-Person

Tailgating, badge cloning, USB drops, and on-site pretexting. Available as a standalone engagement or paired with a full-scope red team.

Methodology

Ethical, measurable, and designed to build culture rather than blame users

1

Scoping & Rules of Engagement

We agree the target population, in-scope techniques, escalation paths, and the no-go list (e.g., no fake bereavement pretexts, no fake medical-emergency calls). Written authorization for every operator.

2

OSINT & Pretext Design

Public-source reconnaissance of your organization, recent news, M&A activity, vendor relationships, and individual targets. Pretexts are crafted to be plausible without exploiting personal trauma.

3

Infrastructure Build

Domain registration, mail-server warm-up, SPF/DKIM/DMARC tuning to land in inboxes, landing pages, and (where in-scope) AiTM proxies for live credential and MFA-token capture.

4

Campaign Execution

Phased launches across departments and roles to measure cohort differences. Vishing and smishing run during business hours; phishing waves are timed to test peak-vs-off-peak click rates.

5

Reporter Recognition

Users who report the phishing attempt receive immediate "thank you, this was a test" responses. Reporting rates are tracked alongside click rates — they're the more important metric.

6

Reporting & Awareness Tuning

Quantitative metrics (click, credential-submission, MFA-approval, reporting), qualitative narrative of what worked and why, and concrete recommendations for your awareness program — content, frequency, and targeting.

Common Use Cases

Awareness Program Effectiveness Baseline

Goal: Measure what your existing awareness training has actually delivered.

Approach: Multi-vector campaign (phishing + vishing + smishing) with department-level metrics. Repeat at 6 months to measure trend.

Help Desk Verification Hardening

Goal: Test the identity-verification process your help desk uses for password resets and MFA reset requests.

Approach: Vishing-only engagement with 20–40 attempted-reset calls against help desk, scored against your published verification procedure.

Initial-Access Vector for Red Team

Goal: Generate realistic initial access for a full-scope red team engagement.

Approach: Phishing campaign with implant payload; successful clicks hand off to the red team cell for post-exploitation.

BEC / Wire-Fraud Readiness

Goal: Test your finance team's resilience to business email compromise and CEO-fraud pretexts.

Approach: Targeted spear-phishing of AP and finance, combined with vishing impersonation of executives requesting urgent wire transfers.

Social engineering operators

Real Voice Operators

Vishing is where most firms quietly outsource — or skip entirely. Our operators have call-center, sales, and verbal-attack backgrounds. They sound like real people because they are.

Metrics That Matter

Click rate is the vanity metric. We report credential-submission rate, MFA-approval rate, time-to-report, and dwell time — the numbers that actually predict breach probability.

Culture-First Framing

Reporters are celebrated, clickers are educated, leadership gets the trends. Awareness programs that blame users produce users who hide their mistakes — we explicitly design against that.

Feeder for Red Team

Successful social-engineering access can hand off directly to a red team engagement — a far more realistic kill-chain than a planted foothold.

Social Engineering FAQ

Yes — and we hold ourselves to a strict ethical line. Pretexts cannot exploit personal trauma (no fake bereavement, no fake medical emergency, no fake family crisis). Users who click are educated, not punished. The goal is to harden the organization, not to humiliate individuals.

That's part of what we're testing. Some clients allow-list our infrastructure (to measure the human layer in isolation); others leave the email-security stack engaged (to measure end-to-end). Both are valuable; we'll recommend the right mode for your goals.

Yes, where in-scope. Adversary-in-the-middle (AiTM) proxies like Evilginx capture MFA tokens in real time. Push-bombing and MFA-fatigue attacks bypass user-approved MFA. Both are exactly what real adversaries are doing — Microsoft attributes 6,000+ MFA-fatigue attacks per day to Storm-0539 alone.

Phishing-only: 2–3 weeks (1 week setup, 1 week execution, 1 week reporting). Multi-vector with vishing and smishing: 3–5 weeks. Full social-engineering campaigns paired with red team handoff: 6–10 weeks.

Yes. Reports map to PCI DSS 12.6 (security awareness program effectiveness), HIPAA 164.308(a)(5) (security awareness and training), SOC 2 CC1.4, and ISO 27001 A.7.2.2. Many cyber-insurance carriers also ask for evidence of phishing-simulation testing — we provide carrier-ready documentation.

Find Out What Your Awareness Training Actually Bought You

Real phishing, real vishing, real metrics — ethically conducted by senior operators.

Scope a Campaign