Social Engineering in Penetration Testing

Social Engineering


  • Social engineering is a type of attack that use people as the main target attack
  • Most common social engineeting attacks is tailgating, phishing, Impersonation, Vishing, Dumbster Diving, Smishing, USB Drops

Social engineering often used as attacks by hackers to gain access to the company’s system from unaware personnel. That is why, it is important to also perform this attack as part of your penetration testing to make sure that this risk is mitigate fully.

What are Social Engineering Attacks?

Social engineering is a type of attack that use people as the focus especially since human interaction is one of the weakness that any system can have. Thus, when you do penetration testing for this attack then you need to focus on the people as well as the vulnerabilities and process which associated with the people. 

The penetration test can be done by ethical hacker using various types of attacks that usually happen to a person when they work in the company. That way, the test can help identifying weakness in group of people, person, process as well as help to identify vulnerabilities.

Most Common Attacks Used 

  • Tailgating

    This method is done by tailgating an employee very closely who then enter a restricted area when they use special key to open the door. The attacker will then enter the restricted area behind them and bypass any physical security method used to protect the area. 
  • Phishing

    This method use email to trick people to give their sensitive information or to open malicious file which can be use to infect their device. 
  • Impersonation

    In this method the attacker will try to trick a person to believe that they are someone else by impersonate that person. The goal usually to convince the person to send payments to fake vendors, gain access to their account and getting sensitive information.
  • Vishing

    This social engineering attack is very similar to the above mention phishing method but it uses phone call instead of email. 
  • Dumpster Diving

    In this method the attack will investigate trash as well as other items in the company such as calendars, sticky notes and any other items that might be used as reminders to get sensitive information about the company or a person.
  • Smishing

    Another attack which similar to the phishing method but it uses sms or text messages instead of email. The message used have similar intention as phishing which is to get sensitive information. 
  • USB drops

    This method uses as the name malicious USB that is dropped on areas that is very common in the workspace. The USB usually contain software which will install another malicious software when plugged in. Then attackers will use the software as a backdoor to transfer files or gain access into the system. 

Why You Should also Do Social Engineering During Penetration Test?

People are referred as the weakest thing in relate to security but permission from people is still needed so they can do their job. That is why, it is important to test those people to find who are more susceptible to attack.

The penetration test for social engineering usually done by combining off-site as well as on-site testing. 

  • Off-site testing

    This testing is done to make sure that the employee has good security awareness on their day to day basis. In this testing, pen tester will do research about the company then use public information to perform the test. This testing will be done remotely using different methods such as smishing, phishing, and vishing. 
  • On-site testing

    This testing is done to make sure that the physical security used on the company’s building are working correctly. You can also test the company’s policies to make sure the employee’s workstation are clean. The methods used on this testing are tailgating, USB drop, dumpster diving and impersonation.

Method Used to Protect from Social engineering Attack

It is important for employee to be able to protect themselves from social engineering which used to attack the company. Here are some of the method that employee can use to protect themselves:

Pay attention to senders

It is important for employee to always pay attention to senders of text message and emails. Sometimes attacker will impersonate other people to send the text message and emails so make sure that your employee knows the right number or the right email address used to send the message. Knowing this will help the employee so they will not click any link or attached document which may be use to compromised the employee’s device. 

Use high setting on spam filters

Usually any email software that is used by the company already have spam filters that can be use to filter suspicious emails. Make use this feature and use high setting so any suspicious emails will not enter the inbox. Of course, you need to teach the employee on how to differentiate legit email to spam email because sometimes even legit email can be filtered and inter the spam folder.

Do not share any personal data

You need to tell employee to think first before they share any personal data such as credit card or password. Especially since no legit individual or company that would ever ask about this type of personal information. 

It is also important to tell employee to use strong passwords on everything. If it is a possibility try to create a company policy where employee have to change the password regularly. Furthermore, you need to tell employee not to use the same password on multiple account to avoid attacks.

Make use of security layers

It is important to use 2FA whenever it is available since it can add another security layer on the system by making employee enter security code that is send to their phone to be entered together with the password and username. By adding this extra security layer then it will make it hard for attackers to use the account direct even if they already get access to one of the systems. 

Use security software

It is important to always install security software on all devices owned by company especially antivirus and antimalware software. Furthermore, you should also make sure that the software is updated to the latest version automatically so it can protect the devices from newest threats. Furthermore, having them installed can also help to protect from social engineering types of attack.

Keep being aware of risk

It is important to make sure that employee to always be aware of risk. You need to tell them to always check if any info is accurate and do double or even triple check before continuing their action. Furthermore, the security officers of your company should also keep up with the latest cybersecurity news to make sure that the company is not affected by attack.

How Teach Employee to Increase Security Awareness

Always think before clicking anything

Usually attackers will employ urgency sense which will make employee act first before they think when attack happen. That is why, you need to teach your employee if they get very urgent message with high pressure then the employee needs to make sure to check the credibility of the source. Teach them the best method that can be use to communicate with the legit senders using different communication method used by the scam message for example by calling the person directly. 

Do research on the source

When receiving any message, it is important to teach the employee to check if the domain used to send it are real and if the person that send the email is really members of that company. If there is any typo or error in spelling then its most likely the sender is fake. Teach your employee how to use make sure legitimacy of the senders by using search engine, official website, phone directory and so on. 

Check when in doubt

As we mention before social engineering is used to get sensitive information and take control of another people account. Then once the attacker gets the account, they will use the account to send emails to people in the contact. This is why, it is still better to always with the person when receiving unexpected email even if it is sent from legit source. And you need to teach this to your employee. 

Do not download anything that you do not know

It is important to tech your employee to not download anything that they do not know. This include when the employee does not know the person who send it and if the employee does not expect anything even if they know the sender. It is also important to make them be extra aware when receiving email with “URGENT” as the subject or headline. It is most likely that the fine is not legit and used as attack.


As you can see social engineering is a very common method used to attack company using employee’s unawareness. That is why, it is important for your company to perform penetration testing with this type of attack as the focus. That way you can identify the personnel who are unaware about the security policies that you have. 

But it is also important to implement various measures that can be used to protect the company’s as well as the employee from attacks. For example, you need to implement security software on the devices used by the employee to connect with the company.

Description: Understand the psychology behind social engineering tactics and how they can be used in penetration testing. Learn how to protect yourself and your organization from these malicious attacks.

Tags: social engineering attack, social engineering method, social engineering pentest, social engineering penetration test, social engineering prevention

%d bloggers like this: