Your firewalls are configured. Your applications are patched. Your endpoint detection is running. And none of it matters when an employee clicks a link in a convincing email, reads a six-digit code to a caller pretending to be from IT, or holds the door open for someone carrying a box of printer paper. Social engineering bypasses every technical control you have by targeting the one component you cannot patch: human psychology.
Social engineering assessments are a critical part of any comprehensive security program. They test whether your people can recognize and resist manipulation, and the results almost always reveal gaps that no amount of technology can close. In our experience, organizations that skip social engineering testing have an incomplete picture of their actual risk posture. You can have the most hardened infrastructure in the world, but if an attacker can call your help desk and reset a password, none of that infrastructure matters.
This article covers how social engineering assessments work, what types of attacks we simulate, what we typically find, and how to use the results to build a security culture that actually resists manipulation. If you want to understand the broader context of how social engineering fits into offensive security, our guides on what happens during a penetration test and what is red teaming provide useful background.
Why social engineering works
Social engineering is not a technology problem. It is a psychology problem. Attackers exploit the same cognitive shortcuts and social norms that allow humans to function efficiently in everyday life. Understanding why these attacks work is the first step toward defending against them.
Authority
People comply with requests from perceived authority figures. An email that appears to come from the CEO, a phone call from someone claiming to be from the IT department, or a person wearing a badge and a high-visibility vest all trigger automatic compliance responses. In organizational hierarchies, employees are conditioned to follow instructions from superiors without questioning them. Attackers exploit this by impersonating executives, vendors, auditors, or law enforcement.
Urgency
Time pressure short-circuits critical thinking. When someone tells you that your account will be locked in 15 minutes, that a wire transfer needs to go out before end of business, or that a server is actively being attacked and they need your credentials to stop it, you don't pause to verify. You act. Attackers deliberately create artificial urgency because they know that the longer a target has to think, the more likely they are to recognize the manipulation.
Trust and familiarity
We trust people and brands we recognize. A phishing email that perfectly mimics your company's internal communications template, uses a colleague's name and writing style, and references a real project you are working on is exponentially more convincing than a generic "Dear User" message. Attackers invest in reconnaissance specifically to build this familiarity, and modern tools make it easier than ever to clone websites, spoof email addresses, and craft convincing pretexts.
Reciprocity and helpfulness
Humans are wired to help others and to return favors. If someone does something small for you first, such as providing useful information or solving a minor problem, you feel obligated to reciprocate. Attackers exploit this by offering assistance before making their actual request. A caller might help you troubleshoot a minor issue before casually asking you to verify your password. The initial helpfulness lowers your guard for the real ask.
Fear and consequences
Threats of negative consequences bypass rational analysis. "If you don't update your credentials immediately, you will be locked out of all company systems." "This is from the legal department regarding a compliance violation on your account." Fear triggers a fight-or-flight response that prioritizes immediate action over careful evaluation. Attackers use consequences, both real and fabricated, to override the healthy skepticism that would normally catch their deception.
The fundamental problem: The psychological principles that make social engineering effective are the same ones that make people effective employees. Helpfulness, respect for authority, responsiveness to urgency, and trust in colleagues are all desirable workplace qualities. Security awareness training must teach people to maintain these qualities while adding a verification step, not to become paranoid and uncooperative.
Types of social engineering assessments
Social engineering is not a single attack vector. It encompasses a range of techniques delivered through different channels, each requiring different skills to execute and different defenses to counter. A thorough assessment program tests across multiple vectors because an organization that excels at spotting phishing emails may be completely vulnerable to voice-based attacks.
| Assessment Type | Channel | What We Test |
|---|---|---|
| Phishing | Click rates, credential submission, macro execution, reporting behavior | |
| Spear Phishing | Email (targeted) | Response to highly personalized attacks on specific individuals or roles |
| Vishing | Voice/Phone | Information disclosure, credential sharing, process bypass over the phone |
| Smishing | SMS/Text | Link clicks and credential entry from mobile devices |
| Pretexting | Multiple | Sustained deception using fabricated scenarios to extract information or access |
| Physical | In-person | Tailgating, badge cloning, unauthorized access to restricted areas |
Most organizations start with email phishing because it is the most common real-world attack vector. But stopping there gives you an incomplete picture. A mature social engineering testing program rotates across channels and escalates in sophistication over time.
Phishing campaign methodology
A professional phishing assessment is not a mass-blast of obvious spam. It is a carefully planned operation that mirrors what real threat actors do, using the same tools, techniques, and research methods. Here is how we approach it.
Phase 1: Reconnaissance
Before writing a single email, we research your organization. This is the same step a real attacker takes, and it is what separates a meaningful assessment from a generic test.
- Employee enumeration: We identify target employees using LinkedIn, your company website, organizational charts, and public directories. We map reporting structures, identify key roles, and note recent hires who may be less familiar with company processes.
- Technology profiling: We identify your email platform, security tools, SSO provider, and commonly used SaaS applications. A phishing email that mimics a tool your employees actually use every day is far more convincing than a generic login page.
- Brand and communications analysis: We study your company's email templates, visual branding, communication style, and internal terminology. If your company sends weekly updates from "The People Team" using a specific template, our phishing emails will mirror that format.
- Current events and context: We look for recent company announcements, mergers, product launches, open enrollment periods, or IT migrations that provide natural pretexts. An email about "updating your benefits selections" during open enrollment season is virtually indistinguishable from a legitimate communication.
Phase 2: Pretext development
The pretext is the story we use to convince the target to take action. A good pretext is plausible, relevant, and creates a reason to act without overthinking. We develop multiple pretexts per engagement and calibrate them based on the organization's maturity level and the assessment's objectives.
Common pretext categories include:
- IT/Security notifications: Password expiration, MFA enrollment, security alert, VPN update required, new software deployment
- HR/Administrative: Benefits enrollment, policy acknowledgment, performance review scheduling, expense report issue, payroll update
- Executive impersonation: Urgent request from the CEO, document review from legal, board presentation materials needed
- Vendor/Partner: Invoice from a known vendor, contract renewal, shared document from a partner organization
- Operational: Shipping notification, calendar invite, voicemail transcription, shared drive access request
We also develop the landing pages that targets will see after clicking. These are cloned versions of legitimate login portals, accurate down to the favicon, styling, and error messages. When a target enters credentials on our phishing page, they are redirected to the real login page so the experience feels normal. At no point do we actually capture or store real passwords. We record that credentials were submitted and what username was entered, but the password field is hashed and discarded.
Phase 3: Infrastructure and delivery
Professional phishing assessments require dedicated infrastructure. We set up sending domains that are similar to your legitimate domains, configure SPF, DKIM, and DMARC records so the emails pass authentication checks, and use sending infrastructure that avoids blacklists. This is important because a phishing email that lands in spam doesn't test your employees, it tests your email filter.
We send emails in waves rather than all at once. Sending 500 phishing emails simultaneously at 9:00 AM on a Monday is unrealistic and may trigger your email security gateway. Real attackers send in small batches over time. We do the same, typically sending to 10 to 20 percent of the target list per wave over several days.
Phase 4: Tracking and measurement
Every phishing email contains unique tracking identifiers that allow us to measure the full interaction chain without compromising privacy. We track:
- Email opened: The recipient loaded the email (tracking pixel). This is a baseline metric but not particularly meaningful on its own.
- Link clicked: The recipient clicked the phishing link. This indicates the pretext was convincing enough to prompt action.
- Credentials submitted: The recipient entered credentials on the phishing page. This is the critical metric because it represents a successful compromise.
- Reported: The recipient reported the email as suspicious through the proper channel. This is the most important metric in a mature program.
- Time to action: How quickly targets clicked or reported. Fast clicks suggest automatic behavior. Fast reports suggest effective training.
Vishing: Voice phishing techniques and findings
Vishing, or voice phishing, is often more effective than email phishing because it exploits real-time social pressure. An employee can stare at a suspicious email for five minutes, consult a colleague, or forward it to security for analysis. A phone call demands an immediate response. There is no time to think, and the social pressure to be helpful and cooperative on a live call is immense.
How we conduct vishing assessments
We develop call scripts based on pretexts similar to email phishing but adapted for voice interaction. Common scenarios include:
- IT help desk impersonation: "Hi, this is Mike from the IT service desk. We're seeing some unusual activity on your account and need to verify your identity to resolve it. Can you confirm your username and the last password you set?"
- Executive assistant scenario: "This is Sarah calling from David Chen's office. He's in a meeting and needs his VPN credentials reset before his call at 3. Can you walk me through the reset process?"
- Vendor support: "I'm calling from [your actual SaaS vendor]. We're migrating accounts to our new platform and need to verify your admin credentials to ensure a smooth transition."
- New employee onboarding: "Hey, I just started in the marketing department last week and I'm locked out of the shared drive. My manager said to call this number. Can you help me get access?"
Each call follows a decision tree. If the target pushes back, we have prepared responses to overcome objections. If they ask to call back, we provide a callback number that routes to our infrastructure. If they want to verify our identity, we use information gathered during reconnaissance to establish credibility. The goal is not to bully anyone into compliance but to test whether organizational processes and training hold up under realistic social pressure.
What vishing assessments typically reveal
The results are consistently eye-opening. In our experience, vishing success rates regularly exceed phishing success rates. Here is what we commonly find:
- Help desk bypass: Help desk staff reset passwords, disable MFA, or grant access based on information that is publicly available or easily guessable. Identity verification processes either do not exist or are not followed under social pressure.
- Credential disclosure: Employees share passwords, PINs, or MFA codes verbally over the phone. Even employees who would never type their password into a suspicious website will read it aloud to someone who sounds authoritative and urgent.
- Information leakage: Even when calls do not result in credential disclosure, employees frequently reveal organizational information that aids further attacks: names of systems, details about security tools, internal processes, employee schedules, and physical office details.
- Process gaps: Many organizations have identity verification procedures on paper but do not enforce them consistently. A caller who expresses frustration or claims executive backing can often bypass verification entirely.
Why vishing is underused in testing: Many organizations test phishing annually but never test vishing. This is a significant blind spot. Real-world attackers increasingly use phone calls because they know most security awareness training focuses exclusively on email. If you have never tested your help desk's resistance to social engineering calls, you do not know whether your identity verification processes actually work under pressure.
Physical social engineering
Physical social engineering tests whether an unauthorized person can gain physical access to your facilities, restricted areas, or sensitive equipment. This is the most dramatic form of social engineering testing and often the most revealing, because physical access frequently leads to complete compromise.
Tailgating and piggybacking
Tailgating is following an authorized person through a secured door without presenting credentials. It is remarkably effective because challenging a stranger feels socially uncomfortable, especially when that stranger is carrying something heavy, appears to be in a hurry, or looks like they belong. In most of our assessments, testers can access secured areas within the first one or two attempts simply by approaching a door at the same time as a legitimate employee.
We test tailgating using various pretexts. A tester might carry a box of supplies and ask someone to hold the door. They might hold a phone to their ear and look preoccupied while walking closely behind an employee. They might wear a vendor badge or high-visibility vest that provides a visual reason for being there. The social norm of holding the door for someone is so deeply ingrained that most people do it automatically without considering the security implications.
Badge cloning
Many organizations use proximity-based access cards (HID, MIFARE, etc.) that can be cloned with commercially available equipment. During a physical assessment, testers may attempt to read badge data using concealed readers, then clone a badge to gain persistent access. This technique is particularly effective in environments where badge data is not encrypted or where multi-factor physical access controls (badge plus PIN) are not implemented.
Pretexting for physical access
Physical pretexting involves creating a persona that justifies the tester's presence in a restricted area. Common pretexts include:
- IT contractor: Arriving with a laptop bag and a work order (fabricated) to perform "scheduled maintenance" on network equipment.
- Fire inspector or health and safety auditor: Wearing a clipboard and high-visibility vest, claiming to be conducting a routine inspection.
- Delivery driver: Carrying packages addressed to the building, gaining access to mailrooms, loading docks, and sometimes office floors.
- New employee: Claiming to have started this week and not yet received a badge, asking to be escorted to a specific department.
- Vendor or repair technician: Arriving to "fix the copier" or "check the HVAC system" with tools and a plausible explanation.
Dumpster diving
Dumpster diving is the examination of an organization's discarded materials for sensitive information. While it sounds low-tech, it is remarkably productive. We routinely find printed emails with credentials, network diagrams, employee lists, financial documents, client data, and discarded hard drives or USB devices in unsecured waste receptacles. Organizations that do not shred sensitive documents or properly dispose of electronic media are handing reconnaissance intelligence to anyone who looks.
Real-world results: What we typically find
After conducting hundreds of social engineering assessments, clear patterns emerge. These aggregate results help organizations benchmark their performance and set realistic expectations for their own assessments.
Email phishing metrics
| Metric | First Assessment | After Training | Mature Program |
|---|---|---|---|
| Email Open Rate | 60-80% | 50-70% | 40-60% |
| Click Rate | 20-35% | 10-20% | 3-8% |
| Credential Submission | 12-25% | 5-12% | 1-4% |
| Report Rate | 2-5% | 15-30% | 40-70% |
| Time to First Click | Under 2 minutes | 5-15 minutes | 15+ minutes |
The most telling metric in this table is the report rate. Organizations undergoing their first social engineering assessment almost never have employees who report suspicious emails. After effective training and repeated testing, the report rate climbs dramatically. In mature programs, employees report phishing attempts faster than they click on them, which transforms your entire workforce into a detection layer.
Which departments are most vulnerable?
Certain departments consistently show higher susceptibility to social engineering attacks, not because those employees are less intelligent, but because their job functions make them more likely to interact with external communications, open attachments, and respond to unfamiliar requests.
- Sales and business development: These teams receive emails from strangers constantly. Their job requires them to open attachments, click links, and respond quickly. A phishing email disguised as a prospect inquiry or RFP is nearly indistinguishable from their normal workflow.
- Human resources: HR teams receive resumes, benefits questions, and employee requests from unfamiliar email addresses every day. A malicious resume attachment or a fake benefits enrollment link fits naturally into their inbox.
- Finance and accounting: Wire transfer requests, invoice attachments, and payment notifications are daily occurrences. Business email compromise (BEC) attacks specifically target finance teams because a single successful social engineering attack can result in six- or seven-figure losses.
- Executive assistants: They act on behalf of executives, often under time pressure, and are conditioned to fulfill requests quickly without extensive verification. Their access to executive calendars, email, and systems makes them high-value targets.
- New employees: People in their first 90 days are particularly vulnerable because they are unfamiliar with company processes, eager to be helpful, and reluctant to question requests that might come from authority figures they have not yet met.
Vishing success rates
Vishing assessments consistently produce higher compromise rates than email phishing. In our engagements, 40 to 60 percent of vishing calls result in some form of information disclosure, and 15 to 30 percent result in credential disclosure or unauthorized access. Help desk teams are the most frequent targets and show the highest compromise rates because their job is literally to help callers solve access problems.
Building effective security awareness training from assessment results
The real value of social engineering testing is not the click rate in the report. It is the training program you build from the results. Assessment data tells you exactly where your organization is weak and provides the evidence you need to design targeted, effective training rather than generic annual compliance videos that no one remembers.
Use real data, not hypotheticals
The most effective training uses anonymized results from your own assessments. Showing employees the actual phishing email that 30 percent of their colleagues clicked on is far more impactful than showing them a textbook example they would never fall for. When people see that realistic attacks fooled their coworkers, they take the threat seriously.
Train by department and role
Generic security awareness training treats every employee the same, but the attacks they face are not the same. Your finance team needs training on BEC and wire transfer fraud. Your HR team needs training on malicious resume attachments. Your help desk needs training on identity verification under pressure. Your executive team needs training on whaling attacks and CEO impersonation. Tailored training based on actual assessment data is dramatically more effective than one-size-fits-all programs.
Focus on reporting, not just recognition
Traditional security awareness training teaches people to recognize phishing. That is necessary but insufficient. People also need to know how to report it, and they need to feel safe doing so. If reporting a phishing email requires navigating a complex ticketing system, employees won't do it. If employees fear punishment for clicking a phishing link, they will hide it instead of reporting it.
The goal is to build a reporting culture. Deploy a one-click reporting button in your email client. Acknowledge reports quickly, even if the email was legitimate. Never punish employees who click and then report. Celebrate high reporters publicly. When reporting becomes easy and rewarded, your entire organization becomes a phishing detection system that operates faster than any technical control.
Test continuously, not annually
Annual phishing assessments measure a single point in time. They do not change behavior. Continuous testing, where employees receive simulated phishing emails throughout the year with varying difficulty levels, creates lasting behavioral change. Start with easier-to-detect phishing emails after initial training, then gradually increase sophistication. Provide immediate feedback when someone clicks: redirect them to a training page that explains what they missed and how to spot it next time.
Metrics that matter: Beyond click rates
Most organizations fixate on click rates as the primary metric for social engineering assessments. A 15 percent click rate sounds bad. A 5 percent click rate sounds good. But click rates alone tell an incomplete story and can actually be misleading.
Report rate is more important than click rate
Consider two scenarios. Organization A has a 10 percent click rate and a 2 percent report rate. Organization B has a 12 percent click rate and a 45 percent report rate. Which organization is more secure? Organization B, by a significant margin. Their employees are slightly more likely to click, but they are massively more likely to report, which means the security team learns about the attack quickly and can respond before damage spreads. A single employee reporting a phishing email can protect the entire organization if the security team acts on it.
Time-to-report vs. time-to-click
The race between clicking and reporting determines the outcome of a real attack. If the first employee clicks a phishing link at 9:02 AM but another employee reports it at 9:04 AM, the security team has a two-minute window to revoke the phishing page, reset the compromised credentials, and contain the incident. If the first click happens at 9:02 AM and the first report comes at 3:00 PM, the attacker has had nearly six hours of undetected access. Measuring the gap between first click and first report tells you how quickly your organization can self-correct.
Repeat clickers
Not all clicks are equal. An employee who clicks once during their first year and never again has learned from the experience. An employee who clicks on every assessment requires targeted intervention. Tracking repeat clickers over time identifies the individuals who need additional training, a different type of training, or potentially restricted email access. In most organizations, a small percentage of employees account for a disproportionate share of all clicks.
Credential submission vs. click
Clicking a phishing link and submitting credentials are fundamentally different levels of compromise. A click might expose information through URL tracking, but credential submission gives the attacker direct access to systems. An organization where many people click but few submit credentials has employees who are curious enough to click but cautious enough to recognize a fake login page. This distinction matters for risk assessment and training design.
The right metrics framework: Track click rate, credential submission rate, report rate, time-to-first-click, time-to-first-report, repeat clickers, and department-level breakdown. Plot these over time across multiple assessments. The trends matter more than any single data point. A rising report rate with a declining credential submission rate means your program is working, even if the click rate stays flat.
Combining social engineering with technical testing
The most realistic and impactful assessments combine social engineering with technical penetration testing. This approach, commonly used in red team engagements, mirrors how real attackers operate: they use social engineering to gain initial access, then leverage that foothold to move laterally through the environment and achieve their objectives.
Phishing to foothold
Instead of simply tracking who clicks a link, the phishing email delivers a payload that establishes a command-and-control channel on the target's workstation. This simulates what happens in a real attack: the click is not the end of the story, it is the beginning. From that foothold, the assessment team attempts to escalate privileges, move laterally, access sensitive data, and demonstrate the full impact of a successful phishing attack.
This approach transforms a phishing assessment from a metrics exercise into a realistic attack simulation. The question changes from "how many people clicked?" to "what can an attacker actually do after someone clicks?" The answer is almost always more than the organization expects.
Vishing to credential access
A vishing call to the help desk that results in a password reset gives the assessment team legitimate credentials. From there, they log into the VPN, access internal applications, and demonstrate what an attacker could reach using nothing more than a phone call and a convincing story. This attack chain is particularly powerful for demonstrating risk to leadership because it requires zero technical exploitation. No vulnerabilities. No exploits. Just a phone call.
Physical access to network compromise
A tester who tailgates into the building and finds an unoccupied conference room with a network port has physical network access. From there, they can plug in a device, capture network traffic, attempt to join the corporate network, and pivot to internal systems. A dropbox device (a small, concealed computer left on the network) can provide persistent remote access for days or weeks. This demonstrates that physical security failures have direct cybersecurity consequences.
Legal and ethical considerations
Social engineering testing involves deception, which creates legal and ethical complexities that do not exist in technical penetration testing. Professional firms handle these carefully, but organizations commissioning tests need to understand the boundaries.
Authorization and scope
Written authorization is non-negotiable. The statement of work must explicitly authorize the types of social engineering being conducted, the targets (or target groups), the channels (email, phone, in-person), and any restrictions. The authorization should come from someone with the legal authority to approve deceptive testing of employees, typically the CISO, General Counsel, or CEO. Testing without proper authorization exposes both the testing firm and the organization to significant legal risk.
Employee privacy and dignity
Social engineering assessments must be designed to test organizational resilience, not to humiliate individuals. Results should be reported in aggregate, not by naming specific employees who clicked. If individual remediation is needed for repeat clickers, it should be handled privately and constructively, not punitively. Employees who fell for the assessment should never be publicly shamed. That approach destroys trust and discourages the reporting behavior you are trying to build.
Sensitive pretexts to avoid
Certain pretexts cross ethical lines even when they would be effective. Professional firms avoid pretexts involving:
- Personal health information or medical emergencies
- Threats of violence or law enforcement action against individuals
- Family emergencies or personal tragedies
- Termination threats or performance issues
- Romantic or personal relationship manipulation
These pretexts would produce high click rates, but they cause real psychological distress and erode employee trust in the organization. The goal is to test security awareness, not to traumatize your workforce. Real attackers may use these tactics, but testing firms must maintain ethical boundaries that real attackers do not have.
Data handling
Credentials captured during phishing assessments must be handled with extreme care. Professional firms hash or discard passwords immediately after recording that a submission occurred. Usernames are retained for reporting purposes but should be stored securely and deleted after the engagement concludes. Any sensitive data encountered during physical assessments, such as documents found during dumpster diving, should be documented photographically and returned, not retained.
How to scope a social engineering assessment
Scoping a social engineering engagement requires different considerations than a technical penetration test. Here is what you need to define before the engagement begins.
Define objectives, not just activities
Start with what you want to learn, not what you want the testers to do. "We want to know if our employees can spot phishing emails" is a weak objective. "We want to measure our credential compromise rate across all departments, benchmark our reporting rate, and identify which teams need targeted training" is a strong objective. Clear objectives drive better scoping, more meaningful results, and more actionable recommendations.
Select the right assessment types
For a first assessment, email phishing is the logical starting point. It provides a broad baseline, tests the largest number of employees, and is the most common real-world attack vector. Once you have email phishing results, add vishing in the next round to test a different channel. Physical assessments should be considered for organizations with significant physical infrastructure, such as data centers, labs, or manufacturing facilities.
Determine target scope
Decide whether you are testing all employees or specific departments. Full-organization testing provides the most complete picture but requires more pretexts to avoid detection across groups. Targeted testing of specific departments (finance, executive team, help desk) provides deeper insight into high-risk areas. Most organizations benefit from a combination: broad phishing across all employees with targeted vishing against the help desk and executive assistants.
Set difficulty level
The sophistication of the pretexts should match the assessment's objectives. If this is a baseline assessment, use moderately convincing pretexts that a trained employee should catch. If you are testing a mature security program, use highly sophisticated spear phishing with personalized content and realistic infrastructure. Testing an untrained organization with advanced pretexts produces a meaninglessly high click rate. Testing a trained organization with obvious pretexts produces a meaninglessly low one.
Establish rules of engagement
Define what happens when an employee reports the phishing email. Who receives the report? Do you want the testers to continue the campaign after it has been reported? What happens if an employee becomes distressed during a vishing call? Who is the emergency contact if something goes wrong during physical testing? These scenarios need documented procedures before the engagement begins, not improvised responses in the moment.
Recommended starting scope: For organizations new to social engineering testing, we recommend starting with a phishing assessment targeting all employees using two to three pretexts of moderate difficulty, combined with five to ten vishing calls against help desk staff. This provides a broad baseline and tests two different channels at a reasonable cost. From there, you can expand to spear phishing, physical testing, and combined assessments based on the initial findings.
Building long-term resilience
A single social engineering assessment is a snapshot. Building genuine resilience against social engineering requires an ongoing program that integrates testing, training, process improvement, and cultural change.
Test regularly. Quarterly phishing assessments with rotating pretexts and periodic vishing tests create sustained awareness. Employees who know they could receive a simulated phishing email at any time are more vigilant than those who know the annual test was last month.
Close process gaps. When vishing assessments reveal that your help desk resets passwords without proper verification, fix the process. When physical assessments reveal that tailgating is trivially easy, improve badge access controls and train receptionists. Assessment results should drive specific, measurable process improvements.
Reward reporting. Create positive incentives for employees who report suspicious communications. Some organizations run "phish reporter of the month" programs. Others award small gift cards for verified reports. The specific incentive matters less than the signal it sends: reporting is valued and encouraged.
Measure trends, not snapshots. Track your metrics across assessments over time. A click rate that drops from 25 percent to 8 percent over 18 months tells a clear improvement story. A report rate that climbs from 3 percent to 50 percent demonstrates that your training program is fundamentally changing employee behavior. These trend lines are what you present to leadership and auditors.
Integrate with technical controls. Social engineering testing should inform your technical security investments. If phishing assessments consistently show that credential harvesting is your biggest risk, that strengthens the case for phishing-resistant MFA (hardware security keys, passkeys). If vishing tests reveal help desk weaknesses, that justifies investing in identity verification technology. Assessment data makes security budget conversations evidence-based instead of fear-based.
Social engineering is the most consistently effective attack vector because it targets the one thing organizations cannot patch: human behavior. Technical controls are necessary, but they are not sufficient. Your people are both your greatest vulnerability and your most powerful defense, depending on whether they have been tested, trained, and equipped to recognize manipulation.
The organizations that fare best against real-world social engineering attacks are not the ones with the most expensive security tools. They are the ones that test regularly, train based on real data, reward reporting, and treat security awareness as an ongoing program rather than an annual checkbox. That cultural shift begins with understanding where you stand today, and the only way to know that is to test.
Test Your Human Defenses
Phishing, vishing, and physical assessments that show you exactly where your people are vulnerable, with actionable training recommendations to close the gaps.
Book a Consultation How Pentests Work
