Web Application Penetration Testing - PurpleSec

Social Engineering Penetration Testing: Attacks, Methods, And Steps

There are many different methods for performing a penetration test, which evaluates the security posture of a company, but in this article, we are going to focus on one: social engineering.


Social engineering penetration testing focuses on people and processes and the vulnerabilities associated with them. These pen tests typically consist of an ethical hacker conducting different social engineering attacks such as phishing, USB drops, or impersonation that a person could face during the course of their work. The goal of this test is to identify weaknesses in a person, group of people, or process and identify vulnerabilities with a clear path to remediation.


In this article, we will discuss what a social engineering attack is, why companies should perform these tests,  common methods used to deploy social engineering attacks, and how to perform a social engineering penetration test.


Article Navigation



Penetration Testing Services - PurpleSec


Types Of Penetration Tests

External VS Internal Penetration Testing - Types of Pen TestsNetwork Penetration Testing - Types of Pen TestsSocial Engineering Penetration Testing - Types of Pen Tests

External VS Internal


Social Engineering

Physical Penetration Testing - Types of Pen TestsFirewall Penetration Testing - Types of Pen TestsWeb Application Penetration Testing - Types of Pen Tests



Web Application



What Are Social Engineering Attacks?


Social engineering attacks come in a variety of forms, but the most common are phishing, vishing, smishing, impersonation, dumpster diving, USB drops, and tailgating.




Phishing is a method that occurs via email and attempts to trick the user in to giving up sensitive information or opening a malicious file that can infect their machine.




Vishing is similar to phishing but occurs via phone calls. These phones calls attempt to trick the user into giving up sensitive information.




Smishing is similar to phishing but occurs via sms text messages. These text messages have the same intent as phishing.




Impersonation is a method where the attacker attempts to fool a person into believing they are someone else.


For example, an attacker could impersonate an executive with the goal of convincing employees to provide financial payments to fictitious vendors or to grant access to confidential information.


An impersonation attack could also target a user with the goal of gaining access to their account. This could be accomplished by requesting a password reset without the administrator verifying their identity.


Another example of this attack would be pretending to be a delivery person. In some cases, delivery personnel have little restrictions and can gain access to secure areas without question.


Dumpster Diving


Dumpster diving is a method where an attacker goes through not only trash but other items in plain sight, such as sticky notes and calendars, to gain useful information about a person or organization.


USB Drops


USB drops is a method that uses malicious USB’s dropped in common areas throughout a workspace. The USBs typically contain software that, when plugged in, install malicious software that can provide a backdoor into a system or transfer files with common file extensions.




Tailgating is a method that is used to bypass physical security measures. You typically see this method used in locations that require a person to scan a key fob to gain entrance.


In this type of attack, the attacker will follow closely behind an employee and enter the room when they scan their key fob and open the door.


Why Should You Perform A Social Engineering Test?


Users are commonly referred to as the “weakest link” when it comes to security but yet users still have more than the necessary permissions to perform their jobs.


So it would only make sense to pen tests those users. These pen tests can show who within a company is susceptible to the attacks previously discussed and more.


Social engineering pen tests are typically done in a hybrid fashion combining on-site and off-site tests.


On-site Tests


On-site tests are used to test the physical security of a building and to policies in place, like a clean workstation policy.


The typical methods of attack you would use for an on-site test are:


  • Impersonation
  • Dumpster Diving
  • USB drops
  • Tailgating


Off-site Tests


Off-site tests are used to test user’s security awareness during their normal day. During this type of test, the pen tester will research the company and use information that is publically available to test the company.


These test are conducted remotely and commonly consist of the following attacks:


  • Vishing
  • Phishing
  • Smishing


Methods Used To Perform Social Engineering Attacks


There are three main methods used to perform a social engineering attack including information gathering, victim selection, and engagement with victims.


Information Gathering


Before testing a target, you need to become familiar with them. To do this, you need to collect all publically available information about the target as possible.


It doesn’t make sense to test a target with medical phishing attacks when the target is a financial company.


You can gain information about a target in numerous ways, but the most common social engineering methods are active and passive reconnaissance and open-source intelligence (OSINT).


Active reconnaissance


Active reconnaissance is an attempt to gain information about a target while engaging with the target. This could be by calling the target and impersonating someone else to gain information or could be more subtle by conducting port scans.


Passive Reconnaissance


When an attacker is conducting passive reconnaissance they often turn to popular social media sites like Facebook or LinkedIn. This is a great way to quickly gain general information about the target in search of a threat vector.


For example, an attacker could use information of a planned vacation posted on Facebook to know when you’ll be out of town. Once gone, they could search your home for ways to access the company’s network.


Next to being free, one of the main advantages of passive reconnaissance is that the attacker does not have to interact with the target to collect information, thereby reducing the risk of being detected.


Open-Source Intelligence (OSINT)


Open-source intelligence (OSINT) refers to the type of data that has been collected.


OSINT Framework - Social Engineering Penetration Testing


OSINT data is data that has been collected from publicly available sources and is deemed “open”.


Thinking back to Passive reconnaissance, passive is the method in which the data was collected and OSINT would be the type of data that was collected.


Victim Selection


In order to perform a successful test, you need to select your “victims” carefully. You will want to choose victims, or groups of victims, that are easily tricked.


These typically consist of:


  • Employees who are less aware
  • Mistreated employees
  • Recently fired employees


You may be wondering how you would identify employees in each of these categories. Websites like Glassdoor is an excellent source.


Glassdoor allows current and former employees to review the company and leave comments about their experience, pay, and benefits.


From these reviews, you can easily identify people who may be less aware and more willing to share information about the company.


You would be surprised how money can influence an employee’s loyalty, especially if they feel they are underpaid or undervalued.


Engagement With Victims


This is the step where you will begin engaging with your victims. Once you have identified your victims, begin planning out the methods of attack that will work best against each person or group of people.


To plan accordingly, you may need to do more targeted active and passive reconnaissance.


Again, the goal here is to collect as much data about people without triggering any alarms. You do not want to tip your hat and reveal to the person that an attack or test might be looming.


Steps To Performing A Social Engineering Penetration Test


There are four main steps to performing a social engineering penetration test including test planning and scoping, attack vector identification, penetration attempts, and reporting.


Step 1: Test Planning And Scoping


This step is, in my opinion, is the most important step during the penetration test. During this step, you will identify what is in scope and how the test will be performed.


This typically requires a meeting between management and the personnel performing the test. One thing to keep in mind is that you want to keep the number of people involved in this meeting to a minimum to prevent the number of people that know about the test.


You want the test to be as accurate as possible, and to do this you need to minimize awareness of the test.


While scoping out the test you will want to include all methods and attacks that you plan to use. For example, if you want to tailgate or impersonate employees or delivery personnel, that needs to be in the scope.


From the scope, you will be able to write a clear contract that is agreed on by all parties involved. The contract is key to a penetration test.


This is your proof that you have gained permission to perform the tests and can, in some cases, help keep you out of jail.


Step 2: Attack Vector Identification


After you have scoped out the pen test you should have a clearly defined contract for what and who you are allowed to test.


This step of the pen test will involve the tester identifying all of the methods that they will use during the test.


These methods should also be linked to certain users and groups. For example:


  • Security guards will be tested using impersonation tests. This test will include impersonating an Amazon delivery person making a delivery to an employee in IT.
  • Security guards will be tested using a tailgating test. This test will involve the tester closely monitoring employees as they enter the building and entering the building, or secure area, while a high volume of people are entering.
  • Personnel in accounting will be tested using a phishing test. This test will involve sending an accountant a phishing email that spoofs the Chief Executive Office and will request the last month’s expense report for review.
  • An employee in IT will be tested using an impersonation test. This test will involve a member of the pen test requesting a password reset for an employee in the account receivable department.


Listing out the attack vectors like I did above helps not only steer the pen test but give management a clear understanding of the steps you took to test the company.


Each test can be scored based on how well the users respond and will help with the overall final score of the penetration test.


Step 3: Penetration Attempts


During this step of the pen test the tester will take all of the listed attack vectors from the previous step and execute those tests.


Documentation is key in this step as these tests will later become supporting evidence for the report.


The type of evidence you should collect is:


Recorded Phone Calls


These phone calls are important as there is no other method for documenting that this attack occurred as well as show its outcome.


Emails From Phishing Attacks


These emails are important because they can show how far a user allowed the attack to go before catching it. In some cases, users don’t catch on until after they have given up sensitive information.

Documentation found while dumpster diving. This type of documentation should include scans of the documents found and even pictures of where the documents were found if appropriate.


Along with the evidence, the tester should include the start and end time for each test, the name of the person conducting the test, and the name of the employee(s) being tested.


Step 4: Reporting


The reporting step of a pen test is where you bring all of the results in together. While writing the report remember who your audience is.


In most cases, the audience is senior management and your report should speak to them. Make sure to address all of their initial concerns discussed at the inception of the test as well as all of the vulnerabilities you found during the test.


In the report, you should not only mention the vulnerabilities found, but you should also provide recommendations for how to mitigate the vulnerabilities.


A typical pen testing report consists of:


  1. An executive summary
  2. A walkthrough of technical risks found
  3. The potential impact of the vulnerabilities found
  4. The remediation options available for each vulnerability found
  5. Your concluding thoughts of the pen test
  6. Vulnerability Elimination


Depending on your relationship with the company, or the contract you have agreed to, the final step of the pen test is eliminating the vulnerabilities found during the test. In my experience, I have seen this accomplished in numerous ways.


The most common way is through a test, remediate, retest, and repeat as necessary – method.


First, the test is conducted and all vulnerabilities found are reported to management with remediation options.


Next, the company is allotted a set amount of time to mitigate these vulnerabilities before another test is conducted.


Then, depending on the outcome of the next test, the penetration test is either closed or retested until the company has decided to either accept the risks found or the test meets or exceeds a predefined score.


Closing thoughts


Social engineering penetration tests can be a great way for a company to test their security posture at the weakest link of their organizations technical areas. These pen tests can be conducted by either an internal auditing team or an external company that specializes in penetration testing.


Both have their pros and cons such as internal teams save money but do not provide an unbiased opinion whereas external companies provide an unbiased opinion but are more expensive.


Either way, the company requesting the test should do its due diligence and verify that the company or team performing the test holds the proper industry certifications, such as the Certified Ethical Hacker (CEH), to provide legitimacy and value to the test.


Related Articles



Penetration Testing Services - PurpleSec

Protect Your Business From Cyber Attacks


Fill out the form to get a free penetration test proposal.




Phone Number



Number of Assets (IPs)

Message (Optional)

Aaron Bond, CISSP, Security+, MCSA

Aaron is a security analyst with over 9 years of IT experience. His experience began serving in the US Military where he served in roles such as network and system administration, as well as teaching IT school for junior sailors. Aaron now serves as a security analyst for a shared services company supporting the healthcare industry.

No Comments

Post a Comment