Skip to main content
Physical Social Engineering Methodology Hero

RedTeam Security's Physical Social Engineering Methodology

A social engineer's methodology to test a client's physical security consists of multiple phases, including data collection, reconnaissance, remote attacks (optional), pretext creation, execution, and report creation. Some clients will choose to provide some information to the social engineer to reduce the amount of data collection that is needed and ultimately reduce costs, i.e., dress codes, the approximate location of a target within a building, front desk procedures, company policy information, or things like everyone is remote on Friday.

Once an assessment is scheduled, a social engineer will review the client's website and other publicly available data. The purpose of this process is to develop an initial opinion of the challenge to expect when attempting to compromise the facility's physical security. Some clients also want a spot check of the first steps the engineer will take, along with an explanation of common risks. The steps for performing a physical, social engineering assessment also depend on whether the client is receiving its first physical assessment or is already in the process of honing its policies and procedures through regular assessments.

Data Collection

Open-source intelligence (OSINT) is a crucial part of the process for gathering data on a client. The types of OSINT that are most valuable in social engineering include building images, company officer names, paid services, DNS records, and NMAP data. Social media platforms and search engines are indispensable tools for discovering information about a company that automated search programs will miss. For example, tools like Spiderfoot have large data sets, but it requires a manual search to compile an employee list from LinkedIn.

On-Site Recon

Social engineers must also perform reconnaissance before attempting to enter a building for the first time. This step typically involves covertly surveilling the facility to identify traffic patterns, dress codes, vendors that visit the location, where employees may prop doors open, and assessing front desk procedures. Reconnaissance may include monitoring of the facility's Wi-Fi network, provided a sufficiently strong signal is available from a discrete location. A walk around the building's perimeter may reveal a break in the fence that the engineer can use to access the site, often for dumpster diving.

Remote Attacks

Occasionally, a social engineer performs remote attacks to obtain confidential information about a building—especially an email phishing, spear phishing, and telephone vishing - or to assist in developing their pretext. Attackers are moving away from email and towards phone calls as a means of obtaining sensitive information due to the common perception that a call is sufficient to authenticate someone. RedTeam Security uses attacks that include phishing emails and vishing to receive information from staff members and convince them to perform actions that compromise security.

These techniques usually provide beneficial results, such as access to Exchange accounts and third-party software. Obtaining access to a SharePoint account used to onboard new employees is particularly useful for getting acquainted with the company.

Pretext Creation

Using the information collected, the social engineer will develop multiple pretexts to attempt to accomplish the goal set with the client. These may include things like posing as a client to attempt to obtain a refund without proper documentation, trying to gain access to a building through an open door by spending time in an outdoor break area, posing as a vendor, or attempting to tailgate. These pretexts will be shared with and approved by the client contacts. The social engineer will also gather the props needed to support the pretext (access badge that does not work, appropriate costume, etc.) 

On-Site Execution

Once on-site, the social engineer will put the pretext into action. While on-site, they may gain additional information while talking to employees or observing other details previously unknown to the social engineer and use this information to move forward to accomplish their objectives. The social engineer will attempt to take photos, videos, or other evidence to be presented in a report to the client. Lastly, the social engineer will try to leave the premises safely. 


Creating a comprehensive report is a critical part of the engagement. It provides the client with the details of the process, the information gathered, the results and observations of the social engineer, any photos taken, and any recommendations. This will create a plan for improving training, updating procedures, and making any structural changes.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at 612-234-7848 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.