Guide Your Guide to Social Engineering Security Testing

Social Engineering is often reported as the most common initial access vector in ransomware attacks and one of the biggest threats to enterprise cybersecurity. In 2024, IBM's X-Force Threat Intelligence Index found that phishing was the most common leading infection vector, identified in 41% of incidents. Sophos' The State of Ransomware 2024 report, ranked malicious email and phishing as the root cause in 34% of ransomware breaches.

These findings place enormous focus on the "human factor" of cybersecurity. Given the high risk, a pressing question emerges: how do cyber leaders best tackle people-centric security challenges?

Our ethical hackers have compiled a comprehensive guide to Social Engineering security assessments in which they describe how they differ from other types of security assessments. The takeaway? A solid understanding of Social Engineering as a cybersecurity threat, how Social Engineering assessments address this threat, and what you should expect from an engagement that focuses on assessing your organization's resilience to Social Engineering.

Who Will Benefit From This Guide?

• C-level executives that deal with IT security (CISOs/CSOs/VP of security)

• Other high-level management (CEO/Business Owner/ Business Executive)

• Managed Service Providers (MSP)

• Cybersecurity Architects

What Are Social Engineering Attacks?

At their core, Social Engineering attacks manipulate people into taking some action on behalf of an adversary. Social Engineering is often referred to as "human hacking" because the process uses psychological manipulation to exploit human weakness, treating the victim's behavior as a vulnerability in the same way hackers exploit technology. 

Psychological manipulation began long before the digital age. In the modern context, it can be conducted covertly and at scale from remote locations that are difficult to trace. However, while Social Engineering presents very low risk to the perpetrator, it can have an immensely negative impact on an organization's security. 

Modern Social Engineering attacks generally focus on tricking people into: 

• Visiting attacker-controlled phishing websites that spoof well-known brands such as Microsoft or Google

• Opening files with malicious content designed to install malware

• Sharing sensitive information directly with unauthorized individuals

• Executing malicious shell commands or scripts to install malware

• Mistakenly sending money to criminals under a false pretense

• Making other mistakes that compromise security

The consequences of all these actions are the same: unauthorized access to valuable digital assets, or sensitive information that can be leveraged to significantly harm to an organization. 

Learn more about our Social Engineering services

Types of Social Engineering Attacks

Social Engineering is one of the most broad attack categories. There is a practically inexhaustible list of techniques. New techniques emerge whenever adversaries find novel ways that technology can be leveraged to exploit a victim. As technologies and business processes evolve, so do Social Engineering attack techniques. 

Here are the most common Social Engineering techniques:

Phishing

Phishing (aka malspam) involves sending deceptive messages that appear to come from a legitimate source. The most often spoofed organizations are financial entities such as banks, online retailers, social networking apps, government agencies, and delivery services, since they are most likely to seem legitimate, get the target's attention, and invoke a sense of urgency. Phishing messages usually attempt to trick recipients into clicking on malicious links, downloading harmful attachments, or providing sensitive information like login credentials, financial details, or personal data.

From a technical perspective, Packetlabs utilizes a technique known as Direct Mail Injection (DMI) to conduct simulated phishing campaigns. DMI leverages enterprise email platform APIs such as Office 365 and Google Workspace to directly inject messages into the mail server, bypassing traditional email delivery routes and spam filters. This ensures that the campaigns will be targeted and effective, and allows for enhanced analytics and more intensive assessments.

Spear Phishing and Whaling

Spear phishing is a more targeted form of phishing. Unlike regular phishing campaigns that target a general audience, spear phishing focuses on specific individuals or organizations. When these attacks target executive members of an organization, the term "whaling" is used.

Attackers first conduct reconnaissance to gather information about their targets, then craft highly personalized and convincing messages. These messages may reference specific roles, colleagues, or projects, making them harder to detect as fraudulent.

Baiting (e.g., USB Keydrops)

Baiting exploits human curiosity by offering something enticing, like USB drives, DVDs, or promotional items, that are infected with malware. For example, an attacker might leave a USB drive in a common area, knowing a curious individual will plug it into a company computer to learn its contents.

Threat actors place trojan files with interesting labels such as "Confidential Salary Info" which deploy malware when clicked. Also, bait devices could have covert features that allow attackers to control them remotely. In the case of Stuxnet, USB devices executed files automatically without requiring victims to open an infected file.

Vishing, Quishing, Smishing, and More

Social Engineering attacks can be executed using virtually any communication medium, both digital and non-digital. Vishing (voice phishing) uses phone calls to manipulate victims into revealing sensitive information, such as banking credentials.

Quishing leverages QR codes to redirect users to malicious websites or payloads, and Smishing uses SMS text messages to deceive victims. Attackers continue to innovate, exploiting whatever medium they can to trick individuals into taking harmful actions, demonstrating the adaptable and pervasive nature of Social Engineering.

Tailgating for Physical Access

Tailgating is a technique used to gain unauthorized access to restricted areas by closely following an authorized person. While tailgating can be covert, it often involves a social engineering context.

Attackers may pretend to have forgotten their access badge, be late for a critical meeting with a senior manager, or use another context to generate urgency or sympathy. An unsuspecting employee, wanting to be helpful, holds the door open—unintentionally allowing an unauthorized individual to enter the premises.

The Psychology Behind Social Engineering Attacks

People are swayed by social factors that evoke core emotions such as fear and desire. By crafting attacks designed to exploit natural psychological forces, attackers provoke their target to act impulsively—clicking a link or executable file, or providing sensitive information—before their logical brain can assess the potential risk effectively. Social Engineering attacks can leverage positive emotions as well. An individual's hidden hopes, eagerness for a great new opportunity, or compassion to help others can trigger impulsive behavior. 

The technical presentation of Social Engineering attacks are designed to blend in with normal day-to-day activities and appear innocuous. In fact, Social Engineering attacks are often technically indistinguishable from legitimate communication. 

The neurological impact of Social Engineering can be referred to as an “amygdala hijack.” This psychological phenomenon seeks to exploit natural psychological tendencies to bypass rational thinking and caution. This term comes from how emotional stimuli are processed directly by the amygdala first, bypassing areas of the brain responsible for reasoning and logic.

The emotions most commonly exploited by Social Engineering attacks are:

• Fear and Urgency: Urgency can provoke impulsive actions, especially when individuals believe negative consequences will occur if they don't take action. The fear invoked by COVID-19 led to many successful phishing attacks during the pandemic. Law enforcement and government tax agencies are also powerful precursors to fear. The words: "your account will be locked in 24 hours unless…" serve as a powerful trigger that can lead to hurried responses, bypassing proper verification.

• Curiosity: An email subject like "Thanks for the photos of you and…" or "What you said last week was…" can spark interest and invoke curiosity, even when the source seems questionable. This natural desire to "find out" can override logical caution, leading to risky behavior.

• Stress: Amidst a busy, fast-paced work environment, our attention is a commodity. A stressed employee trying to clear their inbox quickly may not pay attention to detail or read an email carefully enough. MFA fatigue attacks leverage stress by bombarding a target with requests to validate a login attempt which could grant access to an attacker.

• Authority: Many people are inclined to comply with requests from authority figures. Attackers often attempt to exploit this compliance by impersonating trusted entities. Attackers are known to spoof well-known organizations, public figures, or even use the name of their target's known contacts such as boss or team member.

• Greed: Offers that seem “too good to be true” exploit opportunistic feelings. Promises of lucrative employment opportunities, high returns on investments, or free rewards entice victims to act without critical evaluation. Similarly messages from celebrities or industry leaders falsely expressing admiration can invoke pride and trigger impulsive behavior.

• Overconfidence: Confidence in one’s ability to detect scams can lead to complacency. Overconfidence may lead potential victims to believe that clicking a malicious link or opening a suspicious file cannot cause harm. This may lead to individuals bypassing rational safeguards.

Examples of Real World Social Engineering Attacks

An email claiming that your rich relative died and you are the heir to great wealth, a sternly voiced voice mail message warning you that your company's critical service account is being frozen due to unpaid bills, and a friendly email from a co-worker pointing you to a new mission critical website for an ongoing project. What do these three scenarios have in common? They are all examples of real world Social Engineering attacks.

The consequences of real world cyber attacks executed via Social Engineering truly highlights the potential risk. Here are some examples of real world cases that exemplify the Social Engineering threat:

Social Engineering Case Study: Scattered Spider

Scattered Spider (aka UNC3944) is a highly sophisticated threat actor known for effective use of social engineering tactics. The group primarily targets IT and telecom companies, and their partners. 

During a campaign tracked as [C0027], Scattered Spider effectively conducted credential phishing and SIM swapping to capture one-time-password (OTP) codes and impersonated their victim's IT personnel in SMS and Telegram chats. The attackers then tricked staff into downloading remote monitoring and management (RMM) software, to gain remote control of internal corporate systems. During the campaign, members of Scattered Spider also conducted vishing attacks, luring victims into visiting credential-harvesting websites. After engineering their way into their victim's network, Scattered Spider is known to conduct internal network reconnaissance, move laterally to high value resources, and monetize their unauthorized access using ransomware and data theft. 

Their victims include cloud data provider Snowflake Inc. (accessing their customer data belonging to AT&T, Ticketmaster, and Neiman Marcus among others), Caesars Entertainment, MGM Resorts, and Okta, a prominent cybersecurity vendor. In the hack of Caesars Entertainment, the victim paid $15 million in ransom to restore its network. Scattered Spider has also partnered with the ALPHV/BlackCat, a group that has extorted over $300 million USD from ransomware victims.

Social Engineering Case Study: Lapsus$

Despite being considered technically unsophisticated, the Lapsus$ cyber crime group has been associated with ransomware and destructive attacks against government, manufacturing, higher education, energy, healthcare, technology, and media sectors. Lapsus$ is known for using advanced social engineering tactics, particularly against MFA (multi-factor authentication).

In the Rockstar Games hack, Lapsus$ infiltrated the company's Slack channel, impersonated employees, and manipulated individuals to obtain login credentials. In another breach of Uber, Lapsus$ also gained unauthorized access to the company's Slack channel using stolen credentials and a technique known as "MFA fatigue", triggering numerous multi-factor authentication (MFA) push notifications to employees.

In addition to the aforementioned victims, Lapsus$ has breached Cisco, Okta, Nvidia, Samsung, Microsoft, and others. Although ransom payments made to Lapsus$ are not publicly known, significant downtime and destruction of data are well documented outcomes from their attacks. When a teenage member of Lapsus$ was arrested in 2022, authorities estimated he had accrued $14 million USD from cybercrime.

Key Statistics About Social Engineering Attacks

Here are some statistics about the impact of Social Engineering attacks on the global cybersecurity landscape:

• IBM's X-Force Threat Intelligence Index ranks phishing as the most common infection vector, identified in 41% of incidents

• According to the FBI’s IC3 (Internet Crime Complaint Center) Internet Crime Report, phishing is by far the most common attack performed by cybercriminals

• Between October 2013 and December 2021, BEC attacks resulted in global losses totaling $43 billion, as reported by the FBI

• Sophos' The State of Ransomware 2024, implicated malicious email and phishing as the root cause in 34% of ransomware breaches

• According to SlashNext’s Phishing Intelligence Report, 2024 saw a 703% increase in credential phishing attacks and 80% of new malicious links (so-called zero-day URLs) evaded traditional filtering tools

• Check Point researchers revealed that phishing attacks spoof Microsoft (38%) and Google (11%) more than any other brands

• According to CISO Online, 76% of phishing sites are now using HTTPS and 80% are designed with mobile devices in mind making fraudulent sites seem more credible

• Each social engineering incident costs the victim approximately $130,000 on average

Combating Social Engineering Threats

Social Engineering assessment is not a "set it and forget it" endeavour. Despite implementing more anti-phishing strategies, financial losses from phishing attacks surged by 76% since 2022, highlighting the need for more effective approaches. Assessing resilience to Social Engineering directly by simulating real world attacks is the only way to gain reliable insight into an organization's risk. Without evidence about how personnel behave when confronted with sophisticated Social Engineering ploys, an organization cannot accurately assess its resilience.

Adversaries have access to a host of Social Engineering toolkits, including free open-source tools such as Evilginx, GoPhish, and SET (Social Engineering Toolkit). These tools, originally developed for security testing, nonetheless allow attackers to execute real world phishing campaigns, conduct Man-in-The-Middle (MiTM) attacks, and harvest credentials from unsuspecting users.

Malware-as-a-service (MaaS) organizations operate as cybercrime enterprises, building and selling custom tools on the dark web. Prominent MaaS platforms such as QakBot, Agent Tesla, and Redline Stealer provide attackers with pre-built phishing kits, credential-harvesting scripts, and infostealers that can be deployed with minimal technical expertise. Since even inexperienced cybercriminals can launch sophisticated Social Engineering campaigns, organizations need to be vigilant and continuously on guard.

Also, merely testing for Social Engineering resilience without actioning on the results does not reliably improve security. Once a Social Engineering engagement is complete, security leaders need to review the outcome data and use it to take decisive action. This may include improving cybersecurity awareness training, implementing new policies, procedures, or communication paths, or adjusting technical controls in response to an assessment's findings.

What Risks Do Social Engineering Assessments Address?

Social Engineering should be recognized as the swiss army knife of attack tactics; it could be used to exploit virtually any aspect of an organization. When envisioning how many processes are happening within an organization, one can imagine the scope of techniques that Social Engineering encompasses. Social Engineering can result in financial fraud, unauthorized access, malware installation, data theft, physical theft, physical access, privilege escalation, lateral movement, and other negative impacts such as service downtime.

While Social Engineering attacks are a very common tactic for gaining initial access to an otherwise well-defended network, they can also be used to extend an adversary's campaign after unauthorized access has already been gained. Once attackers have a foothold, they can weaponize newfound information.  Combatting a wide range of Social Engineering scenarios is therefore critical for building effective defenses.  

Social Engineering and Ransomware

Social Engineering is closely linked with successful ransomware attacks, implicated in 34% of ransomware breaches occurring in 2024. Defending against Social Engineering attacks is therefore critical for comprehensive ransomware prevention.

Cyber criminal networks are known to collaborate. Social Engineering specialists known as Initial Access Brokers (IAB), focus on gaining unauthorized initial access. IABs then sell the illicitly gained foothold to ransomware gangs skilled in ransomware deployment and multi-stage extortion. Once inside a network, ransomware gangs can act with lightning precision, in some cases deploying ransomware within minutes. In other cases they prefer a stealthy approach,  covertly maintaining persistent access until the right opportunity becomes available. 

The Primary Objectives of a Social Engineering Engagement

The primary purpose of a Social Engineering engagement is to enhance an organization's resilience against cyber threats that target human behavior. By simulating real-world attack scenarios, defenders can assess all aspects of their infrastructure, employees, processes, and technical security controls. This can uncover security gaps in an organization's ability to effectively prevent, detect, and respond to both simple Social Engineering attacks and sophisticated ongoing campaigns designed to penetrate an organization and cause harm. 

Packetlabs' Social Engineering engagements go beyond surface-level assessments by focusing on key objectives that align with an organization’s unique threat landscape and operational priorities. These engagements ensure that both technical and non-technical aspects of an organization’s defenses are thoroughly evaluated. Achieving these key objectives ensures a comprehensive defense against Social Engineering attacks—one of the most prevalent and persistent attack methods in the modern threat landscape.

Key objectives of a Social Engineering engagement include:

• Gain accurate risk visibility: Assess how well employees recognize and respond to phishing emails, voice calls, baiting attempts, and other Social Engineering techniques

• Identify process vulnerabilities: Uncover gaps in reporting mechanisms, incident response procedures, and internal communication channels that attackers could exploit

• Test technical controls: Validate the effectiveness of safeguards like email filtering, multi-factor authentication (MFA), and endpoint detection solutions in mitigating Social Engineering attacks

• Evaluate awareness and resilience: Gain evidence-based, quantitative insight into to measure resilience to Social Engineering attacks that mimic real world techniques

• Provide actionable recommendations: Deliver insights and practical recommendations to address identified vulnerabilities and improve the organization’s defenses

• Verify employee training: Augment cybersecurity awareness  efforts with real world Social Engineering experiences to foster a stronger culture of cybersecurity awareness and vigilance

• Simulate advanced threat scenarios: Replicate highly targeted attacks, such as spear phishing and whaling, to evaluate resilience against the most sophisticated adversaries

• Strengthen regulatory compliance: Help meet compliance requirements for cybersecurity awareness, such as those outlined in frameworks like ISO 27002, GDPR, or NIST

Why Do Organizations Need Social Engineering Assessments?

Business leaders agree that Social Engineering represents the number one entry point into corporate networks, and plays a significant role in ransomware risk. Despite significant investments in cybersecurity tools and infrastructure, many organizations have still overlooked how human behavior can impact security posture. Considering the risk, organizational resilience to sophisticated Social Engineering techniques should be assessed as part of a comprehensive risk mitigation strategy.

Staff may not fully understand how seemingly innocuous actions, such as clicking on a malicious link or executing an untrusted file can grant an attacker remote access. However, ignorance does not change the fact: careless actions can open the door for attackers to compromise systems, steal sensitive data, or initiate a ransomware attack. Educated employees are less likely to serve as the weak point, but their awareness still needs to be put to the test for strong risk assurances. Social Engineering assessments are essential for reinforcing awareness. By simulating advanced Social Engineering scenarios stakeholders can measure their employees' resilience to potential threats before planning next-level mitigation efforts.

Social Engineering assessments can also measure existing security procedures and technical controls. Are internal communication channels effective? Are incident response protocols robust? Are safeguards like multi-factor authentication (MFA) and email filtering functioning as intended? Are there any configuration flaws that allow attackers to easily spoof internal communications?

Assessments Are Encouraged By Top Industry Standards

Social Engineering assessments are often required or strongly encouraged by cybersecurity industry standards as part of broader cybersecurity awareness training, incident response, and risk management efforts.

Here are some examples of cybersecurity industry standards that encourage Social Engineering assessments:  

• ISO/IEC 27001 and ISO/IEC 27002: While ISO/IEC 27001 does not explicitly require Social Engineering assessments, it emphasizes the importance of security awareness training in the context of risk management. ISO/IEC 27002 compliance requires addressing human factors in security, including training employees to recognize and respond to Social Engineering attempts.

• NIST Cybersecurity Framework (CSF): Under the "Protect" and "Detect" functions, the framework stresses the importance of security awareness and threat detection, which should involve simulating Social Engineering attacks to measure preparedness.

• NIST SP 800-53 (Rev. 5): The AT-2 (Awareness Training) control requires organizations to provide training on recognizing and responding to Social Engineering techniques. The CA-2 (Security Assessments) and RA-5 (Vulnerability Scanning) controls should include Social Engineering assessments as part of a comprehensive security evaluation.

Special Considerations for Social Engineering Targets

Social Engineering assessments may reveal sensitive information about an organization's internal operations. Therefore, Social Engineering engagements require a high degree of trust between the target organization and the testing team. Since Social Engineering assessments involve manipulating human behavior to test security awareness and response, all stakeholders should ensure that ethical boundaries are respected, and employees are not unduly harmed or pressured. 

Clear rules of engagement should be established to define acceptable testing methods, scope, and reporting requirements. This includes determining whether pretexting, phishing, baiting, or impersonation techniques are permitted and ensuring compliance with legal and regulatory frameworks.

The Benefits of 100% Tester-Driven Social Engineering

Packetlabs' "100% Tester-Driven Social Engineering" is a methodology in which all aspects of a Social Engineering engagement are conducted manually by skilled testers rather than relying on automated tools or pre-configured scripts. This approach ensures that the simulated attacks are highly customized, realistic, and aligned with the organization's specific environment, industry, and threat landscape. By relying entirely on specialized and experienced professionals, our approach ensures that each and every engagement is in-depth, realistically challenging, and provides a wealth of actionable insights, helping organizations enhance their defenses against evolving threats.

Key features of 100% tester-driven Social Engineering include:

• Customization: Testers design attack scenarios tailored to the organization’s workflows, culture, and potential vulnerabilities, ensuring relevance and realism

• Adaptable Human Insight: Skilled testers can adjust their tactics dynamically in response to how the target reacts, replicating real world attacks. Testers analyze non-technical factors, such as employee behavior and psychological responses, which are often exploited by real-world attackers

• Realistic Threat Emulation: By emulating the techniques used by sophisticated adversaries, such as malspam, spear phishing, vishing (voice phishing), smishing (SMS-based phishing), email spoofing, open relay abuse, or pretexting, and unauthorized attempts as physical access, testers provide a depth-based assessment of an organization’s resilience

• Holistic Approach: Manual testing provides a comprehensive end-to-end evaluation of human, procedural, and technical defenses, going beyond what automated solutions can achieve

Why Choose Packetlabs For Your Social Engineering Engagement

Whether your aim is to assess your organization's resilience against human-targeted threats, protect sensitive information, or comply with regulatory standards, choosing the right partner for Social Engineering testing is essential. Key factors such as reputation, trust, expertise, and a proven track record of professionalism should guide your decision. 

At Packetlabs, we handle 100% of our engagements in-house, ensuring the highest standards of quality, confidentiality, and consistency. Our team members all have advanced cybersecurity certifications, including the minimum requirement of Offensive Security Certified Professional (OSCP) certification.

Our commitment to delivering actionable insights goes beyond simply providing a report. Packetlabs adopts a consultative approach to help you understand the results, educate your team on risks, and outline effective next steps to fortify your human and organizational defenses. With an impressive average Net Promoter Score (NPS) score of 9.5/10 from our clients, we take pride in exceeding expectations through clear communication, professionalism, and results-driven services. 

When it comes to Social Engineering security testing, Packetlabs is your trusted partner for uncovering and mitigating risks while advancing your cybersecurity posture.