I'm doing a social engineering engagement. I used metagoofil to find about 40 email addresses, phone numbers, and names. I setup a fake login page for the company and sent out emails requesting them to login to the site. Once they enter their credentials, they are redirected to the company email portal. Meanwhile, I capture their ID and password. Out of 40 emails, I got 2 creds. Not too good.

I contacted the client and was told for my next scenario to make phone calls. However, they dont want me calling people I emailed. So....... they emailed me names of people to call. This presents a problem as I have no idea what I should do. If I could call the people I sent the emails to, I could attempt to get them to login to the fake page. It gives a sense of authenticity having a phone call with a legitimate looking email. But if you dont have the email as a verification, what the hell can I ask them to do?

"Hello sir, could you give me your password please?" Seriously, who the hell would go for that? I need some ideas of what I could try. I feel like I'm working with a hand tied behind my back. As if the client is expecting failure in order to make herself look good. Suggestions?

William