Trend Micro provides an excellent recap in this post:
QUOTE: One particular aspect of DEF CON that always gets some media coverage is the Social Engineering Capture the Flag (SECTF) contest, where participants use nothing more than a phone call to get victims at various Fortune 500 to give up bits of information. These are the sort of social engineering attacks that give security professionals at large enterprises nightmares. These same professionals may be in charge of programs meant to train employees on how to avoid social engineering attacks, but many of these programs are not as effective as they can and should be. What are some of the things that organizations can do to improve these programs?
1. Give these programs a good name. It keeps training programs – and their lessons – in the minds of users.
2. Put users on the other side of the attack – teach them basic social engineering. By putting employees in the role of the attacker, they can understand how to spot an attack and that any data is valuable to a social engineer – not just what would normally be considered “sensitive.”
3. Don’t forget the value of “no”. A very effective tactic used by social engineers is veiled threats that if the target doesn’t do what they are asked, their boss will hear about it and be angry. (employees should not be penalized for being reluctant to share sensitive information over phone or email)
4. Implement “social” penetration testing – i.e., having someone play the role of an attacker and trying to socially engineer employees.