BIPI
BIPI

Social Engineering Attacks: Phishing, Vishing, and Pretexting at Scale

Cybersecurity

Technical and psychological mechanics of social engineering — spear-phishing infrastructure, vishing scripts, pretexting frameworks, and measuring human risk in red team engagements.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 10, 2025 · 13 min read

#social-engineering#phishing#vishing#red-team#human-risk

The most sophisticated zero-days in history have been rendered unnecessary by a well-crafted email or phone call. Social engineering is not a soft skill — it is a precise, reproducible attack technique with measurable success rates.

Phishing infrastructure setup

Professional phishing campaigns require dedicated infrastructure: aged domains with matching MX records, SPF/DKIM/DMARC configured to pass email security gateways, and a redirector layer to absorb threat intel lookups. GoPhish orchestrates campaigns; Evilginx3 handles credential capture with reverse proxy.

  • Register lookalike domain aged at least 30 days before campaign
  • Configure SPF: v=spf1 include:sendgrid.net ~all
  • DKIM signed via SendGrid or Postfix + opendkim
  • Redirector VPS between phishing page and C2 to avoid IP burns
  • Evilginx3 for AiTM credential and session cookie capture

Spear-phishing pretext development

Generic phishing fails against security-aware targets. Spear-phishing requires OSINT: know the target's current project, their manager's name, and an internal system they use. Reference a real event — a system upgrade, a compliance audit, a recent acquisition — and the credibility multiplies.

Vishing techniques and scripts

Vishing (voice phishing) exploits the high-trust channel of a phone call. Pretexts that work consistently: IT helpdesk calling about a security incident, HR calling about payroll discrepancy, or a vendor calling to confirm account details. Caller ID spoofing via VoIP providers adds authenticity.

Pretexting frameworks

  1. Establish authority: impersonate IT, HR, C-suite, or vendor with known name
  2. Create urgency: time-limited threat that requires immediate action
  3. Social proof: reference colleagues or recent company events
  4. Reciprocity: offer to help solve a problem in exchange for the target action
  5. Commitment: start with small asks and escalate to the real target

Measuring human risk

Red team social engineering reports should quantify click rates, credential submission rates, callback rates, and time-to-report. Segment results by department and seniority to identify highest-risk populations for targeted training.

15-30%
Average phishing click rate in enterprise campaigns
50-70%
Targets who submit credentials after clicking
<10%
Incidents reported by users during simulated campaigns
The human is not the weakest link — the untrained human is. Security awareness done right changes the ratio.

Responsible use

Social engineering testing requires explicit written consent from senior leadership, clear scope boundaries, and a commitment to use findings for training rather than punishment. Debrief targets who fell for tests — shame is not a security control.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.