Onsite Social Engineering
Attackers show up at your location and impersonate a trusted agent in order to gain physical access to your facilities and, hopefully, sensitive company information. The social engineer may pose as a trusted vendor, a research company, or tailgate an employee through a secured entrance. No matter what cover story they choose, it's all about confidence. With a quick Google or LinkedIn search, they can even learn the executives at your company to name drop and seem more legitimate.
Posing as someone from pest control, a fire marshal, maintenance, etc. performing an unscheduled visit
Private Research Orgs
Posing as someone who works with a government agency to perform "research" on your company
Posing as a fellow employee to get a colleague to hold open a secured door or employees-only entrance
Remote Social Engineering
Attackers can sit at home, thousands of miles away, and perform remote social engineering attacks against your organization. Employee contact information is generally freely available on the internet, and can be easily collected en masse. Armed with this information, social engineers can send emails (phishing), perform phone calls (vishing), or even send text messages (smishing) to your employees without ever leaving their couch. Remote social engineering is considered to be the most common attack method because of the sheer volume targeted all at once.