July 2, 2026
Social Engineering & Phishing — When the Weakest Link Is Human
Phishing campaigns, pretexting, vishing, and why your best firewall can’t stop a convincing email
By R. Mahathi
5 min read
This is Part 7 of my VAPT series. We've worked through reconnaissance, scanning, network pentesting, Active Directory attacks, and web application testing. Every one of those techniques targets systems — firewalls, servers, protocols, code. This post targets something entirely different: people.
What Is Social Engineering?
Social engineering is the practice of manipulating individuals — through deception, trust-building, or psychological pressure — into taking actions or revealing information that compromises security. It bypasses technical controls entirely by going around them, not through them. Instead of exploiting a misconfigured firewall, you call the help desk and convince them to reset a password. Instead of finding an SQLi vulnerability, you send an email that gets the target to hand over their credentials willingly.
It's the oldest attack vector in security and still one of the most effective precisely because it's the hardest to patch. You can update software. You can't push a patch to human psychology.
Why It Matters
Verizon's annual Data Breach Investigations Report has consistently found that the majority of breaches involve a human element — phishing, stolen credentials, or social engineering. The specific percentage shifts year to year, but the pattern doesn't: most successful attacks start not with a zero-day exploit, but with a convincing email or phone call.
A few reasons this keeps being true:
- Employees are trained to be helpful, which social engineers exploit directly.
- Phishing infrastructure has become commoditised — convincing campaigns require far less technical skill than they once did.
- Hybrid work environments have normalised communication through unfamiliar channels (new collaboration tools, calendar invites from unknown addresses), reducing baseline suspicion.
- A single click from a single employee can bypass millions of dollars of perimeter security.
This is also why MITRE ATT&CK dedicates an entire initial access tactic (TA0001) category to phishing — it's the most common way real-world threat actors establish their first foothold.
Attack Types and Techniques
Phishing Campaigns
Phishing is the delivery of a deceptive message — almost always email — designed to trick the recipient into clicking a malicious link, opening a weaponised attachment, or submitting credentials to a fake login page. Modern phishing is less about mass-blast "spray and pray" and increasingly about precision:
- Spear phishing — targeted at a specific individual, personalised with their name, role, or organisation to appear legitimate.
- Whaling — spear phishing aimed specifically at senior executives or high-value accounts.
- Clone phishing — duplicating a legitimate email the target has already received (a delivery notification, an IT helpdesk message) and replacing links or attachments with malicious versions.
The infrastructure side of a phishing simulation during a VAPT engagement typically involves a lookalike domain, a cloned login page hosted on it, and a credential harvesting backend — all built to measure how many users click, how many submit credentials, and how quickly the security team detects or reports the campaign.
Pretexting
Pretexting is the construction of a fabricated scenario (a "pretext") to extract information or access from a target. The attacker assumes a false identity with a plausible story:
- Impersonating IT support to get a user to install "remote management software."
- Posing as an auditor requesting access to financial records.
- Claiming to be a new employee who "lost their badge" to gain physical entry.
What makes pretexting effective is that it exploits social norms — the instinct to be helpful to a colleague, defer to authority, or avoid confrontation. The attacker isn't finding a logical exploit; they're finding a human one.
In a formal VAPT engagement, pretexting scenarios are agreed with the client in advance and scoped carefully — the goal is to measure whether employees follow established verification procedures, not to catch individuals in an unfair trap.
Vishing (Voice Phishing)
Vishing is phishing by phone. An attacker calls a target — often impersonating IT support, a bank, a government agency, or a vendor — and uses urgency, authority, or sympathy to extract sensitive information (passwords, one-time codes, account details) or convince the target to take an action (transferring funds, installing software).
What makes vishing particularly effective is the real-time pressure of a live phone call. There's no time to hover over links or scrutinise email headers — the social pressure of an ongoing conversation compresses decision-making in ways that email doesn't.
SET — Social Engineering Toolkit
The Social Engineering Toolkit (SET), developed by TrustedSec, is an open-source framework specifically built for social engineering attack simulation within authorised engagements. It's the standard tool for structuring phishing simulations, credential harvesting setups, and spear phishing delivery in a controlled environment.
Key capabilities used in VAPT engagements:
setoolkitsetoolkitFrom the SET menu:
- Social-Engineering Attacks → Spear-Phishing Attack Vectors — generates and sends phishing emails with weaponised payloads.
- Social-Engineering Attacks → Website Attack Vectors → Credential Harvester — clones a target login page and serves it from a local or hosted listener, capturing submitted credentials.
- Social-Engineering Attacks → SMS Spoofing — sends SMS messages with spoofed sender IDs for mobile-targeted campaigns.
Awareness Testing
The other side of social engineering in a VAPT context is measurement: running controlled phishing and pretexting campaigns specifically to assess how an organisation's employees respond. The output isn't just "X% of users clicked the link" — a well-run awareness test produces:
- Click-through and credential-submission rates by department or role.
- Time-to-report metrics (how long before someone flagged the phishing email to IT).
- Comparison against previous tests to track improvement or regression.
- Targeted training recommendations for high-risk departments.
This is also where the engagement crosses most clearly into the defensive domain — the output of a phishing simulation directly informs security awareness training programmes, which is one of the most evidence-backed controls for reducing phishing susceptibility over time.
The Psychological Levers
Understanding why social engineering works requires understanding the psychological principles it exploits. Robert Cialdini's influence principles map almost directly onto real attack techniques:
- Authority — "I'm calling from IT, we need your password to resolve a critical incident."
- Urgency — "Your account will be locked in 10 minutes unless you verify now."
- Social proof — "Your manager already approved this, we just need your confirmation."
- Liking/Trust — building rapport before making the actual request.
- Scarcity — "This is the only window we have to fix this before the system goes down."
Recognising these patterns is the first step in building resistance to them — which is why security awareness training that explains why phishing works, rather than just showing examples of what it looks like, tends to produce better outcomes.
Staying Legal and Ethical
Social engineering engagements require more rigorous scoping than most other VAPT activities because they directly target individuals, not systems. Non-negotiable requirements for any legitimate engagement:
- Written, signed authorisation from the client explicitly covering social engineering techniques.
- Clear rules of engagement defining which individuals or departments are in scope.
- Defined escalation paths if a simulated campaign accidentally causes real disruption.
- Agreed debrief process so targeted employees understand what happened and why after the engagement closes.
Operating outside these boundaries — running phishing campaigns without proper authorisation, for instance — crosses the line from security testing into criminal activity regardless of intent. The technical skills in this space and the legal/ethical framework around them are inseparable.
Closing Thoughts
Social engineering is the attack vector that most directly exposes the gap between an organisation's security policies and its security culture. You can mandate strong passwords, enforce MFA, and patch every CVE on the scanner report — and still watch a well-crafted phishing email walk past all of it because one employee trusted a convincing sender name.
The practical lesson isn't that humans are hopeless — it's that security culture is a control layer, just like a firewall or an EDR tool, and it requires the same kind of ongoing investment and measurement to be effective.
Next up in this series: post-exploitation techniques and how findings across the full kill chain — network, AD, web, human — come together into a structured VAPT report.
This post is part of an ongoing VAPT series documenting hands-on offensive and defensive security learning. Previous posts covered reconnaissance/information gathering, scanning/enumeration, network penetration testing, Active Directory attacks, and web application testing.
By
MAHATHI R