Social engineering pentest: How to create a campaign?


This white paper outlines what to consider before launching a social engineering audit.


White paper Social Engineering Pentest

Preparing a social engineering campaign can’t be improvised. A social engineering penetration test consists of auditing human behaviours when facing cyberattacks in a company. In practice, realistic phishing, spear phishing, vishing (phone attacks) and physical intrusions can be carried out.

Depending on the objectives of the social engineering audit, the attacks will be more or less sophisticated: sending mass emails or targeted emails, malicious links, cloning interfaces of web solutions used daily by teams, impersonating colleagues or managers…

The social engineering pentest allows both to measure the risks and to reinforce the awareness of the company's staff. Indeed, seeing the concrete results of attacks that have worked is striking, especially for those who have "fallen into the trap". The psychological impact is much stronger than with traditional risk training, and most of the people involved will not fall into the same traps when they are faced with similar threats again.

Social engineering penetration testing can be adapted to different objectives, different types of companies, and different organisational specificities. The purpose of this white paper is to outline what to consider before launching this type of audit.

White paper how to create a social engineering campaign

How to create a social engineering campaign? 

This white paper is based on our experience with many companies of all sizes and in all sectors. You can use it as a resource to help you choose what will work best for your organisation.

In this white paper you will find:

  • Information on the types of tests performed during a social engineering campaign
  • Elements to consider when narrowing down your choices: When to conduct a social engineering pentest? Should you opt for black box or grey box testing? Should you do it in-house or outsource the tests? Is it better to inform employees or not to let anything slip?
  • Steps to prepare a social engineering campaign: definition of priority risks and threats, targets, and specificities to be taken into account
  • Advice on building attack scenarios, as well as executing them and tracking the results


Vaadata, a company specialized in pentesting

VAADATA is a company highly specialized in penetration testing. It is recognized as an innovative expert in its specialty field.

Vaadata offers (black box, grey box, white box) security audits of the following scope: web platforms, mobile apps, IoT, infrastructure, social engineering.

Vaadata’s mission is to democratize pentesting services with offers adapted to both startups and large companies. We work with 200 clients in Europe and North America. Among them: Credit Agricole Bank, Heineken, Esker, Dext, Malt, Friendsurance…

Vaadata is a CREST accredited company. Our technical team owns following certifications: CEH, OSCP, GWAPT, OSWE, AWS Certified Security and AWS certified Solutions Architect, CISSP, PMP.