Depending on the agreed scenario, this type of penetration testing will usually involve impersonating an opportunistic attacker, someone intending to distribute malware, or someone seeking unauthorised internal access to an organisation’s systems.

Typical exercises include email-based and telephone-based phishing, attempted physical intrusion through deception and masquerading, and use of public information to elicit exposure of private or commercially sensitive information.

Where permitted as part of the engagement, crafted attachments or spoof websites may be used to obtain internal access or user credentials, and fake social media profiles may be generated to support an assumed identity.

This exercise will often be most effective when combined with Internet and social media profiling.