Social Engineering in Penetration Testing: Tactics and Defense
In 2024, the Canadian Anti-Fraud Centre recorded $67.3 million in reported losses tied to spear phishing and business email compromise alone. This figure does not include the unreported incidents, the lateral movement following a successful lure, or the months organizations spend cleaning up after one employee clicked the wrong link. Social engineering is not a secondary concern in cybersecurity. It is the front door most attackers walk through first.
For penetration testers and the organizations hiring them, understanding how social engineering works in an assessment context is essential. Testing technical controls is only half the job. If your security assessment does not evaluate the human layer, you are leaving a large portion of your attack surface unmeasured.
What Social Engineering Testing Covers
Social engineering penetration testing simulates the same manipulation tactics a real threat actor uses to gain access to systems, credentials, or sensitive information by targeting people rather than technology.
The Canadian Centre for Cyber Security outlines the core attack types in ITSAP.00.166. Phishing sends deceptive messages to a broad audience. Spear phishing targets specific individuals with tailored content. Vishing uses phone calls to extract credentials or access. Smishing uses SMS. Pretexting builds a fabricated scenario to earn trust before making a request. Each of these tactics appears in real-world attacks and in structured penetration tests.
A competent social engineering assessment tests which of these approaches your staff recognise, which they fall for, and how your incident response process handles the result. The output is a report — not a blame list. It tells you where your human controls need reinforcement.
How Threat Actors Use These Tactics Against Canadian Targets
The CCCS National Cyber Threat Assessment 2025-2026 identifies phishing as one of the most reported fraud types in Canada and notes spear phishing carries some of the highest financial impact of any attack vector. Police-reported cybercrime in Canada reached 225.1 incidents per 100,000 people in 2024 — more than double the 2018 rate.
AI has accelerated the problem. More than 80% of phishing emails now use AI-generated content, making them harder to identify by appearance alone. Phishing-as-a-Service kits lower the skill threshold for attackers. Voice cloning makes vishing calls more convincing. The social engineering attacks your employees face today look nothing like the crude fraud attempts of five years ago.
Unit 42's 2025 incident response data found 36% of all investigated cases began with a social engineering tactic. For pen testers, this is the argument you bring to clients who resist including human-layer testing in scope. The technical infrastructure might be locked down. The employee who received a plausible pretext call from someone claiming to be from IT support might not be.
The Phases of a Social Engineering Engagement
A structured social engineering assessment follows defined phases. It starts with scoping: agreeing on which tactics are in scope, which employees or roles are targets, and what success looks like. Then comes open-source intelligence (OSINT) gathering — researching the organization's public footprint, staff on LinkedIn, domain records, email formats, and any leaked credentials in breach databases.
From there, the tester builds scenarios. A phishing campaign sends targeted, scenario-specific emails to selected staff and measures click rates, credential submissions, and report rates. A vishing engagement calls specific roles — often help desk, finance, or executive assistants — and attempts to extract information or trigger an action through a believable story.
Physical social engineering tests, such as tailgating or USB drop attacks, are less common in remote-first environments but remain relevant for organizations with physical offices, data centres, or secure facilities.
The engagement closes with a full report: what worked, what was reported correctly, what bypassed controls, and what training or process changes address the gaps.
What Pen Testers Need to Know Before Running These Engagements
Social engineering testing requires explicit written authorisation. This is non-negotiable. Without a clearly scoped statement of work and sign-off from an authorized client representative, simulated phishing and vishing fall outside legal and ethical boundaries. The ethical hacker's mandate is to test with permission, document everything, and report accurately. Any engagement without proper authorisation is not a penetration test — it is an attack.
Pen testers who want to build this skill set need grounding in both technical and psychological attack methods. The Certified Professional Ethical Hacker (CPEH) covers the full methodology, including the social engineering components showing up consistently in real engagements. For those moving into full penetration testing work, the Certified Penetration Testing Engineer (CPTE) builds on this foundation with structured technical methodology and reporting skills clients and employers expect.
What Organizations Should Do With the Results
A social engineering test is not a pass/fail event. The goal is to identify gaps, not to embarrass staff. Organizations running these assessments regularly and acting on findings build measurable improvement in reporting rates and resistance over time.
Actionable follow-up includes role-specific training for staff who failed specific scenarios, updated procedures for verifying identity in high-risk interactions (like password resets or wire transfers), and a formal incident reporting channel employees know to use when something feels wrong.
The CCCS recommends multi-factor authentication, tailored security training, and a clear incident response plan as the baseline defensive response to social engineering risk. These are not optional extras — they are the minimum controls organizations need to reduce their exposure in a threat environment where the human layer is the most targeted entry point in Canada's attack surface.
