Social Engineering testing can be done in a manner of ways and will depend on the client. This can be physical, a tester may go on site and attempt to gain access to an employee computer. It may also be remote and performed via phishing email or telephone call. The exact nature of the test would be defined in the scope. Lock picking is also sometimes used to gain access to parts of the building which may otherwise be inaccessible, however this is more common in Red Team Assessments.
When performing phishing attacks, the client may also choose to do this as a regular managed service. In this case, a list of current email addresses should be provided which can be cycled through throughout the month to attempt to gauge users’ ability to recognized fraudulent emails.
Targeted phishing emails and spear phishing tend to fall into the Red Team Assessment testing but if desired could be performed under this testing category depending on the client’s needs.