Skip to content
Submit a request
  • There are no suggestions because the search field is empty.

Social Engineering Pentest Methodology

What is an SE Campaign?

A Social Engineering Campaign is a security assessment designed to test how vulnerable an organization is to manipulation-based attacks that target human behavior rather than technical vulnerabilities. These campaigns mimic real-world scenarios in which attackers use psychological tactics to trick employees into divulging sensitive information, granting unauthorized access, or performing actions that compromise the organization's security.

1 | Reconnaissance phase

In this initial phase, we gather information about the target organization and its employees to craft realistic and effective social engineering attacks.

  • Open-Source Intelligence (OSINT) Gathering
    We collect publicly available information from social media profiles, company websites, and professional networks (e.g., LinkedIn) to identify high-value targets and internal structures.
     
  • Employee List Compilation
    Based on the OSINT data, we compile a list of employees to target during the campaigns, prioritizing those in positions with access to sensitive information (e.g., HR, IT, finance).
     
  • Email and Phone Harvesting
    We collect contact details, including email addresses and phone numbers for the targets to use in phishing, vishing, and smishing campaigns.
     

In most cases, companies must indicate a list of specific targets (optional to include phone numbers, email addresses, roles, etc.) in the initial scoping conversation.

2 | Campaign Planning

We design the social engineering campaigns tailored to the specific attack vectors (phishing, vishing, smishing) and the organization's context:

  • Phishing
    We craft targeted emails designed to lure users into clicking malicious links, downloading malware/ unknown files , or submitting sensitive information (credentials, personal data). This could include:
    Spear Phishing: Personalized emails aimed at high- value targets with specific and convincing content.
    Clone Phishing: Emails that replicate legitimate communications but contain malicious links or attachments.
  • Vishing (Voice Phishing)
    We develop scripts and scenarios to perform targeted calls, posing as legitimate entities (e.g., tech support, HR) to manipulate users into revealing confidential information or taking certain actions.
  • Smishing (SMS Phishing)
    We prepare text messages containing malicious links or requests for sensitive information. These messages appear to come from trusted sources, such as internal departments or service providers.

3 | Execution phase

In this phase, we execute the campaigns, simulating real-world social engineering attacks:

  • Phishing Campaign
    > Email Distribution: We send phishing emails to the target list, using carefully crafted content to elicit clicks, downloads, or credential submission.
    > Tracking & Monitoring: We track user interactions, such as email opens, link clicks, and form submissions, to measure how many users fall victim to the attack.
  • Vishing Campaign
    > Phone Calls: We initiate calls to the target list, using pre-planned scripts to manipulate users into providing sensitive data or allowing access to systems.
    > Call Monitoring: We record the success rate of vishing attempts by noting how many targets divulge information or follow the attacker s instructions.
  • Smishing Campaign
    > SMS Distribution: We send carefully tailored text messages to the target list, including malicious links or requests for personal information.
    > Interaction Tracking: We monitor responses, clicks on links, and any sensitive data provided by the target via SMS.

4 | Analysis and Reporting phase

After the campaigns are executed, we analyze the results to assess how vulnerable the organization and its employees are to social engineering attacks:

  • Vulnerability Identification
    We categorize employees and departments based on their susceptibility to phishing, vishing, or smishing attacks.
    Phishing Analysis: We review the number of users who interacted with phishing emails, clicked links, or submitted credentials.
    Vishing Analysis: We assess how many employees revealed sensitive information or followed the attacker's instructions during vishing calls.
    Smishing Analysis: We evaluate how many users interacted with smishing texts, clicking on malicious links or sharing confidential information.
     
  • Behavioral Insights
    We identify common patterns or vulnerabilities, such as weak password practices, lack of awareness around security protocols, or tendencies to trust unfamiliar communication.
     

This assessment examines the widest and most commonly exploited attack surface in every organization: employees. It exemplifies business impact in the case of a live malicious actor. It also provides starting points and direction for corrective education.