Social Engineering Internal Testing Best Practises


Social engineering, namely the aim of threat actors to trick humans so as to gain access to IT infrastructure to install malware or steal important information, is still a favored method of attack. One of the reasons why is that it can be done over email, with spam or targeted phishing emails, over the phone, and even in person. This has meant that organizations irrespective of what economic sector they fall into need to conduct some form of internal social engineering testing.

Is it really necessary?

The short answer is an unequivocal yes. Social engineering allows a threat actor a low-tech, high-threat opportunity to attack an organization without the use of advanced malware. To this extent, the amount of new social engineering scams increases daily as scammers and hackers attempt to take advantage of current events and disasters to get your employees to open an email or grant special access to data. With such a low technological barrier to entry, namely simply phoning or emailing a target, and such a potentially high cost to the organization, especially if ransomware is involved, internal testing is most certainly necessary.

Dumpster Diving

This is possibly the easiest way to apply an internal social engineering test because it’s the lowest technology barrier a hacker will need to jump over, they simply rummage through your waste. All you need to do is collect your organization’s rubbish at certain points and see what it contains. It is the easiest but can be rather distasteful but those looking to scam your organization share very little of your scruples.

When going through the rubbish you should be looking for anything a malicious party would like. Documents containing social security numbers and other personally identifiable information, hand shredded cheques, and confidential internal memos are all examples of paper waste that can be weaponized against the business. In terms of e-waste, hard drives and USB drives can be a treasure trove and should be disposed of appropriately and not in the dumpster.

Phone Tests

These are typically done by a third party who will call staff and try and get as much information from them as possible. The third party will then report any area of concern to the organization and steps can be taken to avoid future exploitation by a malicious third party. Typically these tests attempt to trick employees into giving confidential business, customer, or employee information, or any information that can be used as part of a scam. While these tests are often done by third parties they can also be done in-house but often requires a fair amount of planning and practice to truly get actionable data.

Phishing Tests

This is the hardest to implement internally but is likely the most important given how predominant phishing email attempts are in any organization. If you have a large and knowledgeable IT staff this can be done internally, however, such luxuries are not shared across businesses. Luckily smaller enterprises can implement relatively inexpensive business tools that can run tests on employees to see how they interact with potentially suspicious emails.

The data that these tools produce can then be used to better educate staff against threats they’ll likely encounter. At the time of writing several tools could be found with ease online.


Completely internal tests to help combat the scourge of social engineering should not be seen as a wasted expense. Ask any business leader that has experienced the ramifications of such an attack and whether the organization survived said ramifications and viewpoints quickly change. Such a test can be a lifesaver.