Purpose ‐ The purpose of this paper is to investigate the level of susceptibility to social engineering amongst staff within a cooperating organisation. Design/methodology/approach ‐ An e-mail-based experiment was conducted, in which 152 staff members were sent a message asking them to follow a link to an external web site and install a claimed software update. The message utilised a number of social engineering techniques, but was also designed to convey signs of a deception in order to alert security-aware users. The external web site, to which the link was pointing, was intentionally badly designed in the hope of raising the users' suspicions and preventing them from proceeding with the software installation. Findings ‐ In spite of a short window of operation for the experiment, the results revealed that 23 per-cent of recipients were fooled by the attack, suggesting that many users lack a baseline level of security awareness that is useful to protect them online. Research limitations/implications ‐ After running for approximately 3.5?h, the experiment was ceased, after a request from the organisation's IT department. Thus, the correct percentage of unique visits is likely to have been higher. Also, the mailings were sent towards the end of a working day, thus limiting the number of people who got to read and respond to the message before the experiment was ended. Practical implications ‐ Despite its limitations, the experiment clearly revealed a significant level of vulnerability to social engineering attacks. As a consequence, the need to raise user awareness of social engineering and the related techniques is crucial. Originality/value ‐ This paper provides further evidence of users' susceptibility to the problems, by presenting the results of an e-mail-based social engineering study that was conducted amongst staff within a cooperating organisation.