When I joined my company, I was asked to perform a few social engineering assessments for private and government customers alike. Previously, the assessment being done were more testing the amount of people that would click a link in a spoofed e-mail, regardless of the damage. But I wanted to step things up a bit, as I believe that phishing is often a very underrated risk, which seems to be quite effective.
Although “social engineering” is much more than phishing, we are generally asked to keep it to phishing attacks alone. We use following scenario’s to quantify the risk: