Social engineering typically uses e-mail based attacks that target client-side vulnerabilities, which are exploitable through vectors that only a local user can reach. These attacks usually leverage file format exploits and client-side exploits to target the applications and information stored on a victim’s local machine or phishing scams to gather information from a human target. For example, you can attach a PDF that contains an exploit, like the Cooltype exploit, to an e-mail and send the e-mail to a group of people. When a recipient opens the infected PDF, it can create a session on their machine if it is vulnerable to the Cooltype exploit.
The method that you choose depends on the intent and purpose of the social engineering attack. For example, if you want to see how well an organization handles solicitation e-mails, you can set up a phishing attack. If you want to gauge how well an organization follows security best practices, you can generate a standalone executable file, load it onto a USB key, and perform a USB key drop.