Red Team

Social Engineering in Red Team Operations

How social engineering fits into a red team engagement — phishing, pretexting, vishing, physical entry — and how organizations build resilience without theatre.

Author
CyberGuards Security Research Team
Published
Updated
Read
12 min read

Why social engineering is in scope for serious engagements

The vast majority of real intrusions begin with a person doing something they should not have. A phishing click. A password reset for an "executive" they have not verified. A door held open for someone holding a coffee. Adversaries optimize for the easy path, and the easy path runs through people more often than it runs through code.

If a red team engagement excludes social engineering entirely, it tests one half of the attack surface and leaves the other half unmeasured. That can be the right scope choice for some engagements (application or infrastructure-only tests). For an organization-wide assessment, social engineering belongs in scope.

Techniques used in real engagements

Phishing

Email-based attacks designed to elicit credentials, install malware, or coerce a sensitive action. Variants include credential phishing (fake login pages), payload phishing (attachments or links to executable content), and business-email-compromise-style impersonation (fake sender, urgent action). Modern campaigns use HTML smuggling and look-alike domains to evade common defenses.

Spear phishing and pretexting

Targeted attacks against specific individuals, with research on the target and a credible pretext. Effective pretexts often involve internal context (a project name, a vendor name, a colleague) that public reconnaissance can surface. The success rate is materially higher than for mass phishing.

Vishing

Voice-based social engineering. A caller claims to be IT, finance, a vendor, or a senior employee, and elicits an action — a password reset, an MFA code, a wire transfer authorization. Voice cloning makes this harder to defend against than it used to be.

Physical entry

Tailgating, badge cloning, social entry through reception. Less commonly in scope today than fifteen years ago because most office environments are less sensitive than they were, but still relevant for organizations with on-site critical infrastructure.

USB drop and removable media

Crafted USB devices left in places employees will find them. Modern variants use the device itself as an attack vector (HID emulation) rather than relying on the file content alone.

Rules of engagement that have to be in writing

Social-engineering operations require more careful rules of engagement than technical-only testing. Without them, the operation crosses legal and ethical lines regardless of intent.

  • Authorization-to-test letter signed by an authorized person with the standing to grant it.
  • Scope of targets. Departments, roles, or specific people in scope. Always exclude individuals on protected leave, recently bereaved, or otherwise vulnerable.
  • Scope of techniques. Phishing? Vishing? Physical? Voice cloning? Deepfake video? Each has its own ethics bar.
  • Stop conditions. What signals (e.g., target requesting cessation, target showing distress, encounter with law enforcement) require the operation to stop immediately.
  • Post-engagement disclosure. What gets disclosed to whom, when, and how. Targets should learn what happened from your team, not from rumour.

What good looks like in deliverable

Five deliverables in a thoughtful social-engineering engagement:

  1. Campaign artifacts. The exact emails, lures, scripts, and pretext narratives used. Reusable as awareness-training material.
  2. Outcome metrics. Click rate, credential-submission rate, action-execution rate, time-to-report from any target who flagged the campaign.
  3. Detection observations. What email security, EDR, SOC processes detected, what they did not, and where the gaps are.
  4. Process gaps. Where verification workflows, dual control, and out-of-band confirmation should have triggered but did not.
  5. Awareness recommendations. Specific patterns to train against, prioritized by the campaign outcomes.

Building resilience that is not theatre

Annual click-and-forget awareness modules do not measurably reduce phishing risk. What does help, in our experience:

  • Technical controls first. MFA on everything that matters. Conditional access. Link rewriting. Anti-spoofing (SPF, DKIM, DMARC at p=reject). Browser-isolation for risky links.
  • Process controls for high-impact actions. Out-of-band verification for any wire transfer, vendor-payment change, or executive request involving money or credentials. Dual control on payment-system actions. Sensitive-action confirmation through a second channel.
  • Frequent, short, specific awareness. Quarterly five-minute modules tied to specific recent campaigns work better than annual hour-long generic training. Focus on the highest-impact patterns.
  • Easy reporting. A one-click "Report phishing" button in email. Visible thank-you for reports. Reports trigger SOC investigation, not silence.
  • Just-culture incident response. When someone clicks, the response is rapid containment plus learning, not punishment. Punishment drives reporting underground.

The honest summary: social-engineering resilience is mostly built by technical and process controls, not by training. Training matters but is the smallest of the three. If your phishing program is mostly annual training and an occasional simulated email, you have built awareness theatre.

What we'd test for this

Red team operations

Multi-stage adversary simulation including social-engineering scope under explicit rules of engagement.

See the engagement Common in this industry

SaaS & B2B software

Multi-tenant isolation, SSO, SOC 2, customer security questionnaires.

See industry scope

Related articles

Red Team

Red Team vs Blue Team: Offensive and Defensive Security

10 min read

Red Team

The MITRE ATT&CK Framework: A Penetration Tester's Guide

13 min read

Penetration Testing

Authenticated vs Unauthenticated Penetration Testing

9 min read

Preparing for your first pentest? Download the SMB Pentest Readiness Checklist →

FAQ

Social engineering — common questions

Is social engineering legal as part of a red team?

Yes, with explicit written authorization from leadership and clear rules of engagement. Without an authorization-to-test letter from a person empowered to grant it, social-engineering operations cross into criminal territory regardless of intent.

Should social engineering be in scope for our engagement?

It depends on what you are testing. If the question is "would our employees click a phishing email and what happens if they do", yes. If the question is "are our applications and infrastructure secure", no — application-level testing is the right scope.

Are phishing-only engagements useful?

Yes for awareness measurement; less so for security maturity. A phishing-click rate is a useful metric. A phishing-only engagement does not test what happens after a click, which is where the real risk lives.

What about deepfake voice or video?

Voice cloning and video manipulation are emerging in real attacks. Reputable red teams use them sparingly, with explicit authorization, and only against narrowly-defined targets. The legal and ethical bar is higher than for text-based phishing.

How do organizations build resilience?

Layered: technical controls (MFA, conditional access, link rewriting, anti-spoofing), process controls (verification workflows for sensitive actions, dual control for money movement), and awareness training that focuses on the highest-impact attack patterns rather than checkbox-style annual modules.

Want a credible answer when a customer, auditor, or your board asks how secure you are?

A quick scoping call with the senior tester who would run your engagement. No slides, no pitch — we look at what you have, tell you what we would test first, and give you a fixed scope, price, and date.

Get a straight answer