Social Engineering Campaign

<aside> ⚠️

CLICK DUPLICATE BUTTON TO START USING THE TEMPLATE

</aside>

<aside> 🎯

Objective: Assess employee susceptibility to social engineering attacks and identify security awareness gaps in the organization to strengthen human-layer defenses.

</aside>

Pre-Exercise Planning

Campaign Selection Matrix

Use this matrix to select the most appropriate campaign type based on your objectives and risk profile:

Attack Vector	Difficulty	Detection Risk	Value for Assessment	Best For
Phishing Email	Low	Medium	High	Baseline testing, wide coverage
Spear Phishing	Medium	Medium	Very High	Testing targeted departments/roles
Vishing (Voice)	Medium	Low	High	Testing phone security protocols
SMS/Text Phishing	Low	Medium	Medium	Testing mobile security awareness
Physical Impersonation	High	High	Very High	Testing physical security controls
Watering Hole Attack	High	Low	High	Testing browsing habits/awareness

Target Selection Strategy

Primary Selection Criteria

By Department: Based on data access (HR, Finance, IT, Executive)
By Role: Based on privileges (Admins, Managers, C-Suite)
By Location: Based on geography (HQ, Remote offices, WFH staff)
By Previous Performance: Target previous "high-risk" employees

Sample Size Calculator

For statistically significant results in organizations of different sizes:

Organization Size	Minimum Sample	Recommended Sample	Stratified Sampling
<100 employees	50%	75%	All departments
100-500 employees	30%	50%	Key departments
500-2000 employees	15%	25%	Representative selection
>2000 employees	10%	15%	Statistically distributed

Timeline Planner

Planning Phase: 2 weeks (scoping, approvals, content creation)
Dark Period: 48 hours before launch (final approvals)
Execution Window: 1-2 weeks (based on campaign complexity)
Analysis Phase: 1 week post-execution