When performing social engineering tests:

  • Understand the basic components of social engineering and what ideas they rely on to be effective.
  • Leverage the techniques that motivate people to fall prey to social engineering.
  • Launch a phishing attack that entices targets to leak sensitive information.
  • Use media other than just email to phish sensitive information.
  • Create a convincing forgery of a popular website to entice targets to visit.
  • Use the forgery to capture input credentials, like in a login form.
  • Leverage gathered data about people to craft customized spear phishing attacks.
  • Consider targeting executives and other high-level personnel in a phishing attack.
  • Use impersonation techniques to make the attack seem more authentic, like posing as a help desk worker.
  • Use elicitation techniques to get targets to reveal information, like requests and surveys.
  • Leverage hoaxes to make attacks more convincing.
  • Drop a USB drive loaded with malware in a parking lot to see if anyone plugs it into their system.
  • Determine how users may fall victim to an attack by mistyping URLs.
  • Leverage spam techniques with phishing attacks to reach many users.
  • See how easy it is to observe employees at their computers without them noticing.
  • Consider how an office environment might make tailgating or piggybacking more or less effective.