Social engineering penetration testing evaluates the most consistently exploited attack surface in any organization: its people. Technical controls — firewalls, EDR, SIEM, network segmentation — can all be circumvented when an attacker can convince an employee to click a link, share credentials over the phone, or hold a door open. A comprehensive social engineering assessment tests and measures these vulnerabilities with the same rigor applied to technical security testing.
Legal Requirements: Authorization Before Everything
Social engineering testing carries higher legal and ethical risk than technical penetration testing. Before any campaign begins, a written authorization letter must be in place that explicitly defines:
- The scope of the engagement (which techniques are authorized: phishing, vishing, physical, USB drops)
- The organizational departments and employee groups in scope
- The time window of the engagement
- The contact information of the authorizing executive and a 24/7 emergency stop contact
- Data handling requirements for captured credentials (must be hashed/anonymized, never stored in plaintext)
- Exclusions (e.g., no targeting of specific named individuals, no impersonation of law enforcement)
This authorization letter protects both the testing firm and the employees being tested. It should be reviewed by legal counsel before execution. Any social engineering tester who operates without explicit written authorization is conducting criminal activity under the Computer Fraud and Abuse Act (CFAA) and equivalent state statutes.
Phishing Campaign Methodology
Pretexting and Scenario Design
Effective phishing campaigns are built on credible pretexts — realistic scenarios that motivate the target to take action. The most effective pretexts in 2025-2026 include:
- IT helpdesk credential verification: "Your password expires in 24 hours — click here to reset via the company portal"
- Benefits enrollment: Timed to coincide with actual open enrollment periods based on OSINT about the organization
- Shared document notifications: Microsoft 365 or Google Workspace spoofed notifications for shared files requiring login
- Security alert notifications: "Unusual sign-in activity detected — verify your identity to prevent account lockout"
- Executive impersonation (BEC): Email appearing to come from the CEO requesting urgent wire transfer or gift card purchase approval
Domain Typosquatting and Infrastructure Setup
Phishing infrastructure requires careful setup to avoid triggering email security gateways. Practitioners register lookalike domains (e.g., corp-helpdesk.com for a target company corp.com) with proper SPF, DKIM, and DMARC records configured to pass email authentication checks. Sending domains are "aged" — registered weeks in advance and used to send benign emails — to build reputation with email security services.
Phishing pages are hosted on the registered domain with valid TLS certificates (Let's Encrypt) and designed to match the legitimate login page of the targeted service pixel-for-pixel. GoPhish is the standard open-source campaign management platform, providing tracking pixel injection, credential capture, and per-user event logging.
Tracking Pixel and Click Rate Measurement
Each phishing email contains a unique tracking pixel (a 1x1 image loaded from the campaign server) that records email opens by IP address, user-agent, and timestamp. Click-through to the phishing page is recorded separately, as is credential submission. This granular tracking enables per-department and per-individual analysis without storing actual credentials in plaintext.
Vishing: Voice Phishing Methodology
Vishing (voice phishing) tests the human verification procedures that prevent unauthorized information disclosure over the phone. Common vishing scenarios include:
- Impersonating IT support to extract credentials: "I'm calling from IT — we're seeing an issue with your account. Can you verify your username and current password so I can check the configuration?"
- Impersonating a vendor to extract network information or initiate a callback to an attacker-controlled number
- Impersonating a new employee needing urgent access: "I start tomorrow and my manager said to call IT to get my VPN credentials set up today"
Call recordings (with appropriate legal authorization) provide concrete training material. The metric is the percentage of employees who comply with the requested action without performing identity verification through an out-of-band channel.
Physical Tailgating Tests
Physical social engineering tests the access controls that prevent unauthorized physical entry. A tester dressed as a delivery driver, maintenance technician, or new employee attempts to gain access to controlled areas by following an authorized employee through a secure door (tailgating), presenting a convincing but invalid badge, or exploiting distraction. In NYC office environments, common findings include:
- Lobby reception that admits visitors to elevators without verifying the specific floor or confirming the meeting with the host
- Employees holding secure doors open for anyone carrying boxes or appearing to be a delivery
- Server room or network closet doors propped open during maintenance windows
- Clean desk policy violations — passwords written on sticky notes, sensitive documents left on printers
Measuring Results and Training ROI
The primary output metrics for phishing simulation are:
- Click rate: Percentage of recipients who clicked the phishing link
- Credential submission rate: Percentage who entered credentials on the phishing page
- Report rate: Percentage who correctly reported the phishing email to IT security
These metrics vary significantly by department. Finance and operations teams typically show higher click rates due to high email volume and urgency-driven workflows. Engineering teams tend to show lower rates due to technical literacy. Departmental breakdown enables targeted training investment.
The most important metric is the trend over time. Phishing simulations work best as a measurement and targeting tool to find which teams and lures carry the most risk; effectiveness varies by design and frequency, so pair them with technical controls like email authentication, MFA, and one-click reporting rather than relying on training alone. Security awareness training ROI has been quantified by multiple research firms — KnowBe4's 2024 Phishing by Industry Benchmarking Report found the average Phish-prone Percentage (the share of employees who fail a simulated phishing test) fell from a 34.3% baseline to 4.6% after 12 months of combined training and simulated phishing. The cost of security awareness training is orders of magnitude lower than the cost of a successful phishing-initiated breach.
Fortress MSSP's penetration testing practice includes social engineering assessments as a standalone service or as a component of broader red team engagements. Contact us to design a social engineering assessment program for your organization.