Which activity is typically part of a social engineering assessment in a penetration test?

Social engineering assessments focus on human factors and how people respond to manipulated scenarios. Phishing email campaigns and pretext phone calls are classic techniques used to gauge whether employees can be tricked into revealing credentials, clicking malicious links, or bypassing security controls, in a controlled, authorized engagement. They simulate real-world attempts to illicitly gain access, which is exactly what social engineering aims to test. In contrast, port scanning from the internet is a network reconnaissance activity that looks for open services and potential entry points; SQL injection testing targets application code vulnerabilities; and wireless password cracking deals with breaking wireless authentication or encryption. While all are important parts of a broader security assessment, they don’t involve manipulating people, which is the essence of social engineering testing.