Should we perform on-site or offsite social engineering?

Although there is value in onsite social engineering, for the money offsite social engineering, such as that provided by PhishingBox is much more cost effective. Only in rare circumstances, will attackers attempt anything that require their physical presence. As such, most organizations do not need onsite testing.

According to a recent study commissioned by Check Point Software Technologies Ltd, forty-seven (47) percent of social engineering attacks are via phishing. (The Risks of Social Engineering on Information Security: A survey of IT Professionals)