TL;DR: Technical security controls fail when an employee clicks a phishing link, provides credentials over the phone, holds a door open for someone without a badge, or approves an MFA push notification at 3 AM. Social engineering penetration testing measures your organization's actual resilience to these attacks — not what employees know from training, but what they do when confronted with a realistic attack. The results consistently show that human behavior is the most exploitable vulnerability in any organization, and that improving it requires measurement, not just education.
Social Engineering Attack Types: Success Rates and Impact
| Attack Type | Typical Success Rate | Effort Required | Primary Impact |
|---|---|---|---|
| Phishing (credential harvest) | 15-30% click, 10-15% submit | Low-Medium | Credential compromise, initial access |
| Spear Phishing (targeted) | 40-60% click, 25-35% submit | Medium-High | Targeted account compromise |
| Vishing (phone pretexting) | 30-50% information disclosed | Medium | Information disclosure, credential reset |
| Physical Tailgating | 60-80% entry gained | Low | Physical access to secure areas |
| USB Drop | 20-45% plugged in | Low | Code execution on endpoint |
| MFA Fatigue/Push Bombing | 10-25% approved | Low (requires password) | MFA bypass, full account access |
Phishing Simulation Methodology
Professional phishing simulations are not mass-blast generic emails. Effective testing uses the same techniques real attackers employ: reconnaissance of the target organization, domain lookalike registration, pretext development based on the company's actual communications, and landing pages that clone legitimate login portals. The goal is to measure realistic employee behavior, not to trick people with obvious scams that have no relationship to actual threats.
The methodology begins with open-source intelligence (OSINT) gathering. We identify the organization's email format, key personnel, internal tools and platforms, recent events (acquisitions, office moves, benefits enrollment), and communication patterns. This intelligence shapes the pretext — the scenario that makes the phishing email convincing. A phishing email disguised as a benefits enrollment deadline from the actual HR director, sent during open enrollment season, is orders of magnitude more effective than a generic "your account has been compromised" email.
Credential Harvesting Infrastructure
The technical infrastructure behind a phishing simulation mirrors what real attackers deploy. This includes registered lookalike domains (using character substitution, subdomain tricks, or homograph attacks), cloned login pages that are visually identical to the target's SSO portal or email login, SSL certificates on the phishing domain (free certificates from Let's Encrypt eliminate the "no padlock" warning that was once a phishing indicator), and email infrastructure configured with proper SPF, DKIM, and DMARC records to maximize inbox delivery.
When an employee submits credentials on the cloned login page, the simulation records the timestamp, the credentials entered (which are immediately discarded without being stored), and the employee's department and role. The employee is then redirected to a training page explaining what happened and what indicators they should have noticed. This immediate feedback loop is more effective than delayed training because the emotional context — the realization of what just happened — makes the lesson memorable.
Pretexting and Vishing
Pretexting is the social engineering technique of creating a fabricated scenario to manipulate a target into providing information or performing an action. In a penetration testing context, pretexting is most commonly deployed through vishing — voice phishing — where the tester calls employees directly with a crafted scenario.
Effective pretexts exploit authority, urgency, and helpfulness — the three psychological levers that consistently bypass rational security thinking. A caller impersonating IT support ("I'm from the helpdesk, we're seeing unusual activity on your account and need to verify your identity to prevent a lockout") combines all three: authority (IT department), urgency (your account may be locked), and the target's natural desire to be helpful and cooperative.
Common vishing objectives in penetration testing include obtaining credentials or password resets, extracting internal information (org charts, system names, VPN configurations), convincing the target to execute a command or visit a URL, and verifying information gathered through OSINT to enable further attacks. Success rates for well-crafted vishing calls consistently exceed those of email phishing because the real-time, personal nature of a phone conversation creates social pressure that email does not.
Physical Social Engineering
Physical social engineering tests whether an attacker can gain unauthorized access to an organization's facilities — offices, data centers, server rooms, and other restricted areas. The success rate for physical social engineering is disturbingly high because the same psychological principles that make vishing effective are amplified by in-person interaction.
Tailgating — following an authorized person through a secure door — is the simplest and most effective physical attack. An attacker carrying a box of donuts, wearing a high-visibility vest, or appearing to struggle with a heavy delivery exploits social norms: people hold doors open for others. Badge-controlled doors become security theater when employees routinely hold them for anyone who looks like they belong.
USB Drop Attacks
USB drop attacks test whether employees will plug unknown USB devices into corporate machines. Rubber Ducky and similar USB attack tools can execute keystroke injection payloads within seconds of being connected — downloading and executing a reverse shell, exfiltrating data, or establishing persistence before the user realizes anything has happened. The psychological mechanism is curiosity: a USB drive labeled "Executive Salary Review Q4" or "Confidential - HR" found in a parking lot or break room is nearly irresistible to a percentage of any workforce.
Modern USB drop attacks go beyond simple curiosity exploitation. O.MG cables — USB cables with embedded wireless implants — can be left in conference rooms or on desks and look identical to regular charging cables. When connected, they provide a remote wireless command-and-control channel to the attacker. The target never inserts a suspicious USB drive — they plug in what appears to be a normal charging cable.
MFA Fatigue and Push Bombing
Multi-factor authentication is frequently cited as a primary defense against social engineering. MFA fatigue attacks demonstrate that push-based MFA can itself become an attack vector. The technique is simple: after obtaining a user's password (through phishing, credential stuffing, or purchase from initial access brokers), the attacker repeatedly triggers MFA push notifications.
The notifications arrive on the target's phone relentlessly — every 30 seconds, at all hours, for hours or days. The psychological pressure is significant: the target's phone is unusable, they cannot sleep, and the simplest way to make it stop is to approve one notification. Some attackers pair push bombing with a vishing call: "Hi, this is IT support — we're seeing a system issue generating false MFA prompts. Can you approve the next one so we can reset your account?" This combination of technical pressure and social engineering achieves bypass rates of 10-25% even in security-conscious organizations.
The 2022 Uber breach used exactly this technique. An attacker obtained an employee's VPN credentials, then bombarded them with MFA push notifications for over an hour before contacting the employee on WhatsApp, impersonating Uber IT, and convincing them to approve the push. The attacker gained VPN access, then moved laterally to compromise internal systems including the company's privilege access management platform.
Remediation: Replace push-to-approve MFA with number matching (the user must enter a number displayed on the login screen into their authenticator app, proving they are looking at the actual login attempt). Implement rate limiting on MFA challenges. Deploy FIDO2/WebAuthn hardware keys for high-value accounts — they are immune to push bombing because they require physical interaction with the specific authentication session.
Measuring Results and Building Security Culture
The value of social engineering penetration testing is not in catching individual employees — it is in measuring organizational resilience and identifying systemic weaknesses. The metrics that matter include click rate (percentage of users who interacted with the phishing payload), submission rate (percentage who submitted credentials), report rate (percentage who reported the suspicious email to security), time-to-report (how quickly the first report was filed), and departmental variance (which teams are most susceptible).
Report rate is arguably more important than click rate. An organization where 20% of employees click phishing links but 40% report them to security has a functional detection mechanism — the security team will know about the attack quickly. An organization where 5% click but nobody reports has a low click rate but no detection capability — the attacker operates undetected.
From Testing to Culture Change
Social engineering testing should drive culture change, not punitive action. Organizations that publicly shame or discipline employees who fail phishing simulations create a culture where employees hide security mistakes rather than reporting them. The goal is the opposite: employees who feel safe reporting suspicious emails, phone calls, and physical access attempts — even when they have already clicked or provided information.
Effective programs combine regular simulation testing with targeted training for high-risk groups, executive sponsorship that frames security as a shared responsibility rather than an IT problem, and positive reinforcement for reporting behavior (public recognition, small rewards). Over time, this builds an organization where the instinctive response to something suspicious is to report it — creating a human detection network that complements technical security controls.
Measure Your Organization's Human Security Resilience
Lorikeet Security's social engineering assessments include phishing simulations, vishing campaigns, physical access testing, and MFA resilience testing. Get empirical data on your organization's susceptibility to social engineering — and a roadmap for improving it.
