Social Engineering Assessment: What We Test and Why It Matters

TL;DR

Technical controls stop automated attacks. Firewalls, endpoint detection, and email filters handle the vast majority of what hits your perimeter every day. Social engineering bypasses all of that by targeting your people directly. A social engineering assessment tests whether your staff, your processes, and your physical access controls hold up when a skilled attacker applies pressure in a realistic scenario. This guide explains what we test, how each technique works, what the output looks like, and why this type of assessment catches what no scanner ever will.

What social engineering actually is

Social engineering is the use of psychological manipulation to deceive people into taking actions that compromise security. It does not require technical skill to exploit. It requires an understanding of human behaviour, specifically the reflexes that make people helpful, compliant, and trusting under pressure.

Attackers exploit urgency, authority, familiarity, and fear. A message that appears to come from your CEO and requires immediate action is far more likely to produce a response than a generic phishing template. A caller who knows your company name, your IT helpdesk's extension format, and the name of a real colleague is far more persuasive than one who does not.

The attack surface for social engineering is every person in your organisation. It is also every process that relies on human judgement, and every physical access point that depends on a person making the right call under pressure.

What we test in a social engineering assessment

A social engineering assessment is not a single technique. It is a coordinated set of tests across multiple attack vectors, scoped to your organisation's specific risk profile. The following are the core assessment types.

Phishing simulation

Realistic phishing emails are sent to a defined group of staff. The scenarios are tailored to your organisation: they reference your actual systems, suppliers, processes, and job roles. We test whether staff click links, submit credentials, open attachments, or comply with embedded instructions.

What we measure: click rate, credential submission rate, attachment open rate, and reporting rate. The combination of these metrics reveals whether your staff are able to identify suspicious communications, whether they know how to report them, and which departments or roles are most susceptible.

Vishing (voice phishing)

Our ethical hackers call your staff while impersonating a trusted party: IT support requesting urgent password reset assistance, a bank calling about a flagged transaction, a regulator requesting information, or a senior manager asking for an urgent action.

What we measure: whether staff disclose credentials or sensitive information over the phone, whether they comply with requests that should require verification, whether they know how to challenge and escalate suspicious calls, and whether helpdesk and reception staff apply verification procedures consistently.

Vishing is often the most revealing test in an assessment. People who would never click a suspicious email link will willingly confirm their username, token code, or recent login history to a caller who sounds authoritative and uses the right vocabulary.

Smishing (SMS phishing)

SMS messages are sent to staff devices using scenarios relevant to your organisation: package delivery notifications, IT system alerts, urgent payment confirmations, or two-factor authentication bypass attempts. Smishing exploits the lower scrutiny most people apply to messages on their personal devices.

What we measure: click rates on SMS links, credential submission via SMS-delivered landing pages, and response rates to SMS-based social engineering attempts.

Mystery guest (physical access testing)

A trained ethical hacker attempts to gain physical access to your premises by impersonating a contractor, delivery person, IT vendor, or visitor. The test is conducted with no prior notification to reception or security staff.

What we test: whether receptionists and security personnel verify identity and authorisation before granting access, whether tailgating through secure doors is possible, whether unattended workstations or documents are accessible, whether staff challenge or ignore unfamiliar individuals in restricted areas, and whether physical security procedures written in policy are actually followed in practice.

The gap between written physical security policy and what actually happens at the front desk is consistently one of the most significant findings in our assessments. Access is frequently granted to plausible-seeming visitors without any verification of identity or authorisation.

Pretexting and impersonation

More complex scenarios that combine multiple techniques: a simulated vendor audit that requires staff to share system access, a fake merger communication designed to extract financial authorisation, or a multi-step campaign that begins with an email, continues with a phone call, and concludes with a physical visit.

These scenarios test your organisation's resilience to the kind of coordinated social engineering that precedes the most damaging breaches. They are scoped and approved in advance, with clear boundaries agreed before any activity begins.

What attackers are actually after

Understanding what attackers target helps you understand why testing matters. The objectives of social engineering attacks are almost always one of four things.

Credentials. Usernames, passwords, MFA tokens, and session cookies. A single set of credentials for a privileged account can give an attacker access to your entire environment.

Financial authorisation. Business email compromise and CEO fraud target finance teams and executive assistants to redirect payments, approve fraudulent invoices, or authorise wire transfers. These attacks cost EU organisations billions annually.

Physical access. Premises access enables device planting, data theft, and network infiltration that bypasses all perimeter controls. An attacker with a USB device and five minutes at an unattended workstation can establish a persistent backdoor.

Information disclosure. Organisational structure, system names, supplier relationships, and employee details that support more targeted follow-on attacks. Information freely shared in a friendly conversation can become the foundation of a highly convincing spear-phishing campaign.

What the output of an assessment looks like

A social engineering assessment is not a set of statistics. It is a documented record of what happened, what it means, and what needs to change.

For each tested scenario the report documents: the attack vector used, the pretext and scenario, the staff member or department targeted, what happened, what the attacker could have achieved with that outcome in a real attack, which control failed or was absent, and the recommended remediation.

The report distinguishes between failures in written policy, failures in staff behaviour, and failures in technical controls. These require different remediation responses. A policy that exists but is not followed is a training problem. A policy that does not exist is a governance problem. A technical control that could have prevented the outcome but was not in place is a security architecture problem.

The output is always presented in a debrief session with your security team. Findings are discussed in context, remediation is prioritised by risk, and the technical evidence collected during the assessment is reviewed together.

What a social engineering assessment does not do

It is worth being clear about scope. A social engineering assessment is not designed to humiliate individual staff members. Results are reported at the organisational and departmental level, not as a named list of people who failed. The goal is to identify systemic weaknesses in process and culture, not to blame individuals for being human.

A social engineering assessment is also not a substitute for security awareness training. The assessment identifies the gaps. Training and process changes close them. The two work best when planned together: assess first to establish the baseline, train based on what you find, then re-assess to measure improvement.

Compliance relevance: NIS2 and ISO 27001

NIS2 Article 21 requires essential and important entities to implement measures addressing human resources security, access control, and incident handling. A documented social engineering assessment provides direct evidence of compliance with the human-factor elements of Article 21.

ISO 27001:2022 Annex A controls 6.3 (security awareness), 7.2 (physical entry controls), and 8.16 (monitoring activities) all relate directly to what a social engineering assessment tests. Certification auditors increasingly expect evidence of human-factor testing, not just technical controls.

FAQ

What is a social engineering assessment?

A social engineering assessment is a controlled test in which certified ethical hackers attempt to manipulate your staff using the same psychological techniques that real attackers use. This includes phishing emails, vishing phone calls, smishing SMS messages, physical access attempts, and impersonation. The goal is to identify weaknesses in your human defences before a real attacker does.

What is the difference between a phishing simulation and a full social engineering assessment?

A phishing simulation tests one specific channel, typically email, to measure click rates and credential submission across your organisation. A full social engineering assessment is broader and more realistic. It combines multiple attack vectors, email, phone, SMS, and physical, in coordinated scenarios that mirror how sophisticated attackers actually operate. A phishing simulation tells you click rates. A social engineering assessment tells you what an attacker could actually achieve.

What is a mystery guest test?

A mystery guest test is a physical social engineering assessment in which a trained ethical hacker attempts to gain unauthorised physical access to your premises by impersonating a contractor, supplier, delivery person, or visitor. The test measures how effectively your reception, security personnel, and general staff enforce access controls when challenged by a convincing but unauthorised person.

What does a vishing test involve?

A vishing test involves ethical hackers making phone calls to your staff while impersonating a trusted authority such as IT support, a bank, a regulator, or a senior manager. The test measures whether staff can be manipulated into disclosing credentials, confirming sensitive information, authorising actions, or bypassing security procedures. Scripts are tailored to your sector and the specific scenarios most relevant to your organisation.

How is the output of a social engineering assessment structured?

A social engineering assessment produces a structured report that documents every tested scenario, the technique used, the outcome, and the evidence collected. For each finding, the report includes a description of what happened, why it represents a risk, which control failed, and what remediation is recommended. The report distinguishes between technical control failures and human behaviour findings, and provides an overall risk rating with prioritised recommendations.

How often should a social engineering assessment be conducted?

Most organisations benefit from a full social engineering assessment at least once per year, combined with ongoing phishing simulations between cycles. High-risk environments, organisations that have experienced a social engineering incident, and those undergoing significant staff changes should consider more frequent assessments. NIS2 and ISO 27001 both support regular human-factor security testing as part of a mature risk management programme.

Related services and resources

Sectricity conducts social engineering assessments across Belgium, the Netherlands, and the UK. Our assessment portfolio covers phishing simulations, vishing tests, smishing campaigns, and mystery guest physical access testing. For organisations looking to build resilience after an assessment, we offer security awareness training and our multi-channel Swishing programme. Not sure where to start? Begin with a free security scan.