Social engineering penetration testing consists of testing whether employees adhere to an organization’s security policies and procedures, typically through the use of subterfuge or other scams, in order to determine the organization’s level of vulnerability to the exploit used. Testing provides an organization with information regarding how easily intruders could convince employees to break security rules or provide access to sensitive data. Physical testing could involve a tester trying to enter a secured building, for example, during a busy time and seeing if someone holds the door open rather than adhering to required access procedures. Phishing testing, another common social engineering method, can be used to test whether employees open email attachments from unknown sources, which could leave the organization vulnerable to various attacks. Telephonic testing could include a tester calling employees pretending to be a member of the organization’s IT team, providing them with new passwords and telling them they need to change their passwords to the new ones.