This is the most comprehensive free guide to social engineering online.

In this expert-written guide, you’ll learn everything you need to know about performing and defending against human hacking, from the psychology to the tools you’ll need.

So, if you are looking to become a master social engineer (and defeat them), you’ll love this guide.

Let’s dive right in.

Don’t have time to read the whole guide right now?

No worries. Let me send you a copy so you can read it when it’s convenient for you. Just let me know where to send it (takes 5 seconds):

Why Social Engineering Matters For Every Organization

Social engineering is an integral part of almost every attack.
Both cyber and physical.
Let’s look at a few facts to see what I mean…

Only 3% of malware tries to exploit an exclusively technical flaw. The other 97% involves targeting users through social engineering (KnowBe4).

Technical vs. Human Involved Malware

Successful attacks are not decreasing. In fact, overall, they have been increasing for the last 5 years (CyberEdge Group).

Percentage of attacks that are successful

The average time from email phishing breach to detection is 146 days (FireEye).

Average time to detection

With that, let’s dive into the actionable tips in today’s guide.



Learn Your Target Before The Attack


Powerful Influence Techniques


Elicit The Information You Want


Body Language Speaks Volumes


Social Engineering Tools


Effective Defense Strategies


Social Engineering Case Studies


Social Engineering Attack Playbook

Chapter 1

Learn Your Target Before The Attack

No matter what kind of attack you are performing, you will never win if you don’t know your target.

Do you want to learn strategies to gain visibility into them?

Methods for learning about your target.

Let’s get started.

When preparing for a social engineering attack, it’s vital that you have a thorough knowledge of your target.
You want to know absolutely as much information as you can about them.

That data will be invaluable at other phases of the attack.
Here’s what I mean.
Want to build rapport with the individual?
Well, what if you knew they loved German Shepherds?
Maybe, part of your attack could include walking up to the desk on the phone in a distressing conversation.
Then, you hang up and say:
I’m sorry, my German Shepard is at the vet and having severe complications after surgery.
We’ll get into building rapport a lot more later, but my point is this:
Knowing about your victim enabled you to create that scene.
Now that you know why it’s important to know about your target, let’s get into some practical tips for various methods.


Unfortunately, most people are willing and do give up way too much information on the phone.
If you call an organization or business, it’s very probable that you’ll be able to collect tons of valuable information.

This information will help you tremendously in future steps in your social engineering scheme.
While on the phone, you can usually obtain information like people’s names, departments, department heads, company terminology, company processes, and more.
We’ll talk about some ways to get these in the playbook sections.

Pro Tip: Sales and marketing teams are especially useful and talkative targets usually. They are focused on making sales and will fall for social engineering ploys much more easily than other employees a lot of times.


Open-source intelligence gathering is one of the first methods that you should use for learning about your target.
OSINT is nothing but information taken from the web.
Information that is available to almost anyone.
You see
Most people don’t give any thought to loads of data that they post all around the internet.
A patient attacker will spend time combing the internet for all of this data and create a perfectly tailored attack.
There are tons of places that you can gather OSINT from when preparing for social engineering.
Let’s look at a few.


LinkedIn can be an amazing place for gathering information if your social engineering attack is against a business.
Many employees maintain profiles on the site detailing their title, responsibilities, and interests.
As an attacker, you can use all of this to your advantage.
Begin by searching for the company.

Then at the top right, you should see the option to view employees.

Get an idea of the departmental structure of the organization.
Who works in IT, marketing, accounting, etc.
Who are the bosses, the juniors, executives, recruiters, and HR, etc.
Add all of this into your notes.
You never know which parts you will need later.
If you maintain a few LinkedIn profiles yourself, you can even request to connect with someone of interest.
Then, you may be able to find email addresses and email address format.

Bottom line, you can gather a ton of valuable information from LinkedIn.
Make notes of any data that you feel could be useful for your social engineering attack.

Using Google Dorks

Believe it or not, you can find a ton of information on Google itself.
Google Dorks can be a key tool when preparing for social engineering.
Basically, dorks are a way that you can hyper-focus your Google searches to find specific information.
Quick example.
If I am looking for an article on the website that I remember seeing about cybersecurity tools, I could use dorks.
Like this: + “cybersecurity tools”
What I have done is tell it to search only in the site for “cybersecurity tools”

See the results?

There’s good news
You can use hundreds of these to find specific items.
Here’s a list of them that you can search for the specific needs of your social engineering engagement.
This list is maintained by the community.
As new ones are discovered, they are added to the list
Some useful ones for social engineering reconnaissance are:
Site: to search a specific site
Inurl: to look for certain words or filetype to look for email addresses
I encourage you to check out the Google Hacking Database linked to above.
There are nearly 5000 google dorks.
Most likely, there’s some that can help you in your social engineering engagement.


If your social engineering attack involves physical penetration or access, it is very likely that you will need to perform at least some kind of surveillance.
And while surveillance may not seem like anything complicated, there are some things that you should be aware of to avoid being caught

Surveillance Vehicle

Your vehicle choice is very important for the success of your surveillance operation and ultimately the social engineering engagement.
The main concern for the vehicle is that is doesn’t draw attention.

Of course, this will vary depending on the area of your lookout, but typically ordinary cars work well.
Be sure to choose a dull color that won’t stand out in people’s memory – something like white, black, or grey


One of the main things that you have to be worried about when performing surveillance is not arousing any suspicion.
So, you want your clothing to be appropriate for the occasion.
If you will be sitting in a car, this doesn’t matter quite as much, but you’ll still want an extra set of clothes just in case you have a close encounter with your target.
However, if your surveillance involves going into a business, or walking down the street, as examples, make sure your clothes are appropriate.
Here’s what I mean:
If you’re surveilling a business office building, you may want to wear a business suit.
It will help you blend in the crowd better.

Stealth Arrival

Here’s a trick that works well when your surveillance team has at least two members.
Have one team member be a passenger in a car.
The other team member should drive to the location, park the car, and walk away.
They can take up a surveillance position elsewhere, or walk around, etc.
The point in this is that the parked vehicle will be thought to be empty by anyone who may have seen it arrive.
Again, you want to draw as little attention as possible.

Dumpster Diving

Dumpster diving can be useful in preparing for social engineering attacks.
The action – literally going into dumpster rummaging for anything of importance – often leads to collecting valuable information.
You see
Most people throw all kinds of things away with considering just how valuable that information is to a social engineer or an attacker.
That email you printed and threw away –

Harmless, right?
Well, did it have the company’s standard email signature on it?
That’s great for the attacker – he can make his fake email look authentic.
He also got another email address from someone at your company.
Or the phone list someone threw away?
Now the social engineer has all of the company’s numbers.
Maybe even “inside” numbers.

So, if the attacker spoofs his number to look like an insider number, his victim will likely think that he must be genuine.
Following me?
The attacker knows virtually nothing about your company or organization when he starts.
But every tidbit he gets adds another stroke to the image.
And once he has a satisfying picture, he can fool anyone.

Practical Dumpster Diving Tips

Here are a few practical tips that may prove beneficial for your next dumpster diving engagement:

  • After Dark – Dumpster diving usually works best right after dark
  • Dark clothes – wearing dark clothes can help you not be seen
  • Thick pants – Since you may have to get into the trash, you’ll want thick clothing to avoid pokes and snags
  • Solid shoes (boots) – there is the possibility of broken glass and other sharp objects in the trash. You’ll want to be sure not to have shoes that can be easily pierced
  • Choose smaller bags that would come from desk trash cans. Large black bags are more likely to have food trash instead of papers.
  • Don’t sort through trash on site – take it back to a safe location
  • Flashlight – a head-mounted flashlight works best.
  • Legality – dumpster diving is usually illegal. Make sure it is specifically included in your scope of work

Book Recommendation

Chapter 2

Powerful Influence Techniques

Social Engineering is an art

No one can give you a 1-2-3 punch that will work in every incident.

That being said, there are some principles that you should be aware of.

Seasoned social engineers are able to blend these techniques at the right time and place to get the desired outcome.

Let’s look at some of them.


At its heart, influence is the process of getting someone else to do something that you, as a social engineer, want.
This may be the way to want them to react, something you want them to think or even an action you want them to take.
An example.
As a kid, when you wanted to do something – say go to the sleepover at your friends house – how did you ask?
“Mom, may I stay the night at my friends”?
Or did you try something more like:
“Mom, all of the boys in my class are having a sleepover at ___ house. They’re going to have pizza and games. May I go?”
Most children would have likely used a more elaborate request like the second one.
They want to influence their parents’ decision.
So, let’s look at some of the many ways that you as a social engineer can influence your targets.


As humans, we have it wired into us to repay favors or generous acts done to us.
Part of this is how we are trained to be mannerly; the other part is just human nature.
When someone holds the door for you, what do you do?

Say thank you.
Sure it’s “manners.”
But those “manners” are a way to give back.
Hope that makes sense.
As such, this inherent reciprocity that we have can be a great influencing tool for a social engineer.
Robert Cialdini, a respectable professor studying the topic, discussed this in his book, Influence: The Psychology of Persuasion.
In fact, he believed that reciprocity is one of the most important factors in influencing others.
Phillip Kunz performed an experiment that supports this theory.
In 1974, he performed an experiment in which he sent 600 handwritten holiday cards to complete strangers, all of whom were randomly selected.
He included a photograph of his family in the card.
What was amazing:
Nearly 200 people returned cards to him.

They had no idea who he was and didn’t question him.
They simply felt obligated to return or reciprocate the gesture.
Reciprocity can be a powerful tool of social engineers.
Especially since it’s a subconscious decision that people make.
If you incorporate this method of influence into a social engineering scheme, be sure to not be sleazy.
Perform favors that are impressionable upon the recipient but don’t stand out as being weird.
Maybe you walk in the building with a box of donuts and casually ask if they want one while passing.
Whatever you do, reciprocity can help you a lot.


There’s no question, respect for authority is ingrained into us from the time we are children.
Some cultures enforce it more than others.
As a result, it can be a perfect ploy for a social engineer to pose as someone in authority.
Because immediately when we “realize” the person is in authority, that respect kicks in and we don’t want to be disrespectful.
Generally, someone impersonating authority will attempt to be one of a few authority types – legal, organizational, or social.

The most common is organizational.
A perfect example of this is CEO wiring fraud.
The attacker sends a message to or calls an employee purporting to be the CEO.
Usually, the rouse continues along the lines of the CEO being very busy and having an important need to wire money to a certain person or entity.
The ploy can also be used to get the victim to open a malicious file which provides the attacker access to their computer.
This method works so well that the FBI estimates a global loss of $12.5 billion due to the CEO fraud method.

You should note that the social engineer doesn’t even have to pose as an authority figure as extreme as a c-level executive for this to work.
People just automatically defer to “authority.”
Robert Cialdini discusses another experiment in his book that shows just how bad this can get.
In the experiment, 95% of nurses at various stations within 3 hospitals were willing to give a patient a lethal dose of medication based on a phone conversation.
Of course, the call was from a researcher claiming to be a physician.
What’s worse?
This even worked despite the nurse having never met or heard of the alleged doctor.
As we have seen in this section, the perception of authority can be an excellent social engineering tool.


Scarcity can be a powerful influence technique in a social engineering engagement.
People tend to become overcome by the time pressure and can make decisions that actually aren’t in their best interest.
A prime example of this is the way that stores have sales.
Sales don’t last forever; instead, the finite availability of the discount encourages them to act quickly.
And sometimes irrationally.

A perfect example of this is the way that most ransomware attacks work.
Once the system is infected and all of the files encrypted, the user is given a set amount of time to pay the ransom before they are all deleted.
There are plenty of ways that you can incorporate scarcity into your engagements.
Just remember that a scarcity of time can be a great influencer.

Chapter 3

Elicit The Information You Want

As a social engineer, you have to be a master at getting information without asking for it.

Do you want to learn how to elicit info without arousing suspicion?

That’s what we will talk about in this chapter.

Ways you can elicit info during a social engineering engagement.


Now that we’ve looked at ways that you can influence your targets, we need to talk about elicitation.
Elicitation is the next phase in a social engineering attack.
After you’ve won them to your side, it’s time to begin attempting to extract that information from them without them even knowing what’s happening.
There are numerous ways this can be done, but today, we’ll look at several of the most common methods.
These common elicitation methods include flattery, false statements, artificial ignorance, the sounding board, bracketing, and confidential baiting.


Flattery can be a powerful tool for a social engineer when it’s done correctly.
Because people are genuinely proud of their achievements and usually don’t have a way to express it.
This is because bragging is not accepted in most places.
So we end up keeping our sense of accomplishment to ourselves until the right opportunity arises to express it.
As a social engineer, if you can create that opportunity, you can usually get valuable information.
However, when attempting to use flattery, you must be sure that you aren’t overdoing it and that the flattery attempt is related to what you’re trying to find out.
Here’s what I mean.
Walking up to a receptionist and saying they are beautiful would probably cross the wrong way and defeat your mission.
It’s just a little too far.
On the other hand, if you started a conversation with them – maybe inquiring about the services they offer – and then interject a compliment into the conversation, it will likely go over better.
Something like, “I like your accent. Where are you from?”
Or, you’re really good at this job. You keep everything moving exceptionally well.
In Kevin Mitnick’s book, The Art of Deception, he discusses a great flattery technique.
While seeking to find the name of a store’s regional manager so that he could impersonate them, he called one of the stores and “got assistance” with a problem.
At the end of the conversation, he asked for the managers name so that he could give the store employee a good review.
They immediately provided the manager’s name and contact information.
In general, with the flattery technique, you want to keep compliments away from the person’s physical appearance or clothing.
Instead, comments about their accomplishments or business related topics can go a lot further.
Especially when they are followed up with a question.
Something like, “You can really handle a lot of things simultaneously. How long have you been working here?” can get your target talking.
Once they start, they’ll usually keep going.

False Statements

Another great method for eliciting information is using false statements in a way to get the truth.
Before we get into how to use this method, let’s talk about why it works.
Think back to when you were in elementary school.
When the teacher was teaching a lesson and asked a question to the students, if you knew the answer, what did you do?
Raise your hand?
Maybe start waving it at her?
Even stand up out of your chair a little?
What I’m trying to convey is that people have a tendency to want to show what they know.
They also have a tendency to want to correct things around them that are incorrect.
As a social engineer, you can use this to your advantage.
Say the goal of your encounter is to find out what type of endpoint protection the company uses.
You could interject something like this into the conversation.
I heard your guys security is top-notch. Someone that used to work there told me your company uses a special antivirus that was made by the NSA.
It’s likely they would respond with something like:
“No, we just use Symantec. Don’t know where they got that from.”
What has happened is the attacker used a greatly exaggerated false statement so that the target would correct us.
This method works well.

Chapter 4

Body Language Speaks Volumes

The simple truth is this:

You can create the most realistic pretext ever.

But if your body language exemplifies nervousness, you target will almost certainly pick up on it.

You have to master the art of body language.

Both reading it and displaying it.

That’s what we’ll discuss in this chapter.

As you may already know, people use their entire bodies to communicate.
In fact, studies have shown that a great percentage of our communication is with our bodies.
You may be thinking
What does this have to do with social engineering?
It’s actually very beneficial for both sides – the attacker and the defense.
If you can decipher the meaning of someone’s body language, you will be much better at the social engineering game.
Same goes for defense

Non-Verbal Communication and Social Engineering

None of us probably realize how much of our communication is actually achieved by non-verbal queues.
Have you ever thought that you would much rather talk with someone in person instead of over the phone?
That’s probably because you find it easier to communicate.
Professor Mehrabian did a lot of research into non-verbal communication in the 1990s.
In short, he found that :
7% of meaning is in the words that are spoken
38% of meaning is in the way the words are said
55% of meaning is in facial expression.

Very interesting.
As a social engineer, you should be able to identify non-verbal queues and adapt your pretext to ease the target and ultimately achieve your goal.

Interpreting Body Signals

There are literally hundreds of queues you can gather from body language.
Just check out these charts to see them.
It’s unreal, and there’s no way that you can function in a social engineering engagement while trying to identify all of them.
So what should you do?
Instead of focusing on every little body expression the person makes, focus on comfort or discomfort.
Joe Navarro, an ex-FBI agent, explains it well in this video.

By the way, a lot of a person’s body expressions have to do with context and a person’s expressions may have nothing to do with you.
That’s even more reason on just focusing on comfort versus discomfort.

Examples of Body Expressions

Before we discuss particular body expressions that a social engineer should keep an eye out for, let me say this:
You have to establish a baseline for the target before you assume a signal means a particular thing.
Here’s what I mean.

While having folded arms may typically be assumed to mean that a person is closed off, it could also be a comfortable position for a person to stand.
They could also simply be cold.
So, as you approach the target, identify their demeanor and what if any signals they are already exhibiting.
What becomes important then, is identifying a change.
If the person was sitting normal, and once you start engaging them, they cross their arms, that likely means they are uncomfortable.

Signs of Comfort

There are a few things that you can look for to know if a person is comfortable.
First of all is arm placement.
When humans are comfortable, they tend to widen; when they are uncomfortable, they tend to narrow up.

As you can see babies do this naturally.
Steepling is another example of this.
Usually when a person does this, they are confident and cool.
One other thing to note with the arms is whether they are extended.
When someone extends their arms (showing the underside), they are usually comfortable and open.
Having a genuine smile is another giveaway of a person’s feeling.
People used to say that a person was genuinely smiling when they had the crow’s feet by their eyes.

While this may be true, it’s not something to base your assumption on.
Again, like we said before, throughout your social engineering engagement, assess the target’s behavior based on their baseline.
One last sign of comfort that I want to discuss is head tilt.
This may be more noticeable in women, but men do it as well.
When they are in a comfortable situation, they will tilt their heads slightly.
Ever wonder why a photographer has you tilt your head during a photo op?
They’re trying to make you look less tense.

Signs of Discomfort

So now, let’s look at some signs of discomfort.
Eye Blocking can be a dead giveaway that a person is not comfortable with a situation or environment.

The action says that the person doesn’t want to see something that they are being confronted with.
If you see this during a social engineering encounter, you may want to ease up and change to small talk or something to set them at ease.
Neck and shoulder rubbing can be another sign of discomfort.
People tend to do this because when uncomfortable, our muscles tense up.
Rubbing is simply loosening those muscles.
The final body expression that a social engineer should observe is the target’s lips.
While this may seem obvious, people often do odd things with their lips when tense.
They may start biting them.
Puckering them
Or any number of other odd behaviors.
So, lookout for this.

Chapter 5

Social Engineering Tools

Like with almost everything, there are tools that make the work of social engineers much easier.

If you want to learn to perform effective attacks, you should learn how to use each of these tools.

If you want to learn to perform effective attacks, you should learn how to use each of these tools.

Even though you may not use them everyday, the more you have in your “toolbag” for use when needed, the better.


Let’s look at them.

Social Engineer’s Toolkit (SET)

SET was developed by the team at TrustedSec. They are an amazing team of cybersecurity professionals. The tool can be useful for nearly every part of a social engineering attack. You can use it to create spear-phishing emails, performing recon or attacks on websites, creating malicious payload deliverables, Powershell attacks, and a lot more. It is a really useful and powerful tool that you should spend some time learning.


PeekYou is a people finder website. It can be used to find information about a target for a social engineering attack. While you may end up having to pay to retrieve some of the information, you can sometimes get a lot of valuable data for free – residency location, education, age, online aliases, employer, etc. All of those can be used to create a convincing attack.

HackSearch Pro Plugin

HackSearch is a plugin for Firefox. While you browse any website, the plugin works in the background to perform passive reconnaissance for you. It looks up public databases to gather as much information as it can. It can find things like whois info, MX records, DNS information, and more. Because the tool does query the site directly, the owner won’t be alerted.


Maltego is one of the most amazing tools available for social engineering and penetration testing. While the tool is commercial and must be bought, there is a free version available. Maltego can help you find almost any information that you may need for a social engineering attack. DNS info, email addresses, server technologies, people, addresses, and a lot more. It can be a huge time saver and is built to work well for security agencies or teams.


Shodan is an incredible tool. Shodan is like Google for hackers (or social engineers). You can use the site to search for devices that are online. The search engine searches the web looking for devices. You can learn a lot about an organization with the site. What kind of servers they are using, services, etc. It offers a wealth of information and can help you while preparing a social engineering attack.


If you really want to pull off a good social engineering encounter, you should check out the spoofcard app. To be successful with vishing, you have to come across as being an insider. One of the best ways to do that is to spoof the number you are calling from. The SpoofCard app allows you to do that insanely easily.


If you pick up shredded documents during a dumpster dive, you can use this software to help you piece them back together. This is a time-consuming process, but can be very fruitful if important documents are obtained and are strip shredded.

FOCA (Fingerprinting Organizations with Collected Archives)

FOCA is a tool that helps find hidden information in documents. Once you have a document from an organization – maybe one you found using Google Dorks – you can use FOCA to analyze it. The tool will examine the metadata of the file. Then, it uses Google, Bing, and DuckDuckGo to find other versions of the document as well as other documents that the organization has online. You can find lots of useful information with the tool. Sometimes, you can even get usernames.

Buscador Investigative Operating System

David Wescott and Mike Bazzell developed Buscador specifically to meet the needs of private investigators. However, the tools that come with the OS make it superb for anyone performing OSINT.

Google Hacking Database

Google Dorks (from the Google Hacking Database) will become your best friend for reconnaissance before a social engineering engagement. Trust me. Once you get familiar with them, you will use them all the time. Even when you’re casually browsing the web. The dorks allow you to perform google searches that are hyper-focused.


Metagoofil is another useful tool for finding hidden metadata in files online. The tool will find pdf, doc, xls, ppt, docx, pptx, or xlsx files online, download them and extract the metadata it identifies. Then, it creates a report on the findings, making its use very easy during social engineering reconnaissance.

Physical Tools For Social Engineering

Sometimes, preparing for and conducting social engineering attacks involves physical entry attempts, pretexting, surveillance and dumpster diving.
There are additional tools that work well for these operations.
Let’s look at some of the ones I have found to work well.

Note: Some of the following links are affiliate links. If you purchase an item using the link, I will receive a small commission.

Button Camera

Button cameras can be very useful for performing recon. Maybe you need to find out more information about the inside security measures of an organization. You can use a covert button camera like this one to record while you make an initial visit.

Hat Camera

Hat cameras are another useful way to covertly convert reconnaissance. It works well for outdoor surveillance or as part of a delivery person pretext.

Implantable Wireless Camera

For social engineering engagements that include the acquiring of intellectual property, a great attack is implanting a secret camera in a board meeting room. Implantable wireless cameras are the tool of choice for this.

Hands Free Night Vision Goggles

If you are doing physical break-ins after hours, night vision goggles may be a beneficial tool. This is typically for attacks where you won’t encounter a person. Image trying to explain to a security guard why you have them on.

Lock Picking Set

You have to have a lock picking set for physical entry. Any lock pick set that is your favorite will work.

Social Engineer’s Clothing

The cloths that a social engineer will need is just as varied as the pretexts they come up with. However, here are a few standard items:

  • Thick shirts with long sleeves for dumpster diving
  • Steel toe boots
  • Chest waders for dumpster diving
  • Suit
  • Lab coat
  • Hard hat
  • Business casual outfit
  • Regular street outfit

Chapter 6:

Effective Defense


So, if 97% of data breaches and network compromises begin with social engineering, what can you do?

What are the defense strategies to not become a victim?

There are actually a few things that you can do to drastically reduce the likelihood you will become a victim.

Let’s look at some.

The problem that we have with trust in cybersecurity is this: we have been taught to trust people.
If you stop to think about it, most of our society is built on trust.
Think about it
When you go to the store, they trust you will pay for what you select, right?

Likewise, when you are employed by a company, you trust they will pay your wages, right?
And this trust that we have is warranted for the most part.
Our society couldn’t function without it.
But social engineers are aware of this trust issue and take advantage of it.

How is social engineering prevented?

Social engineering is prevented by training people to detect attacks. Of course, this takes time and multiple approaches, but security awareness training is very effective.
The bottom line is we have a trust problem.
To solve this problem, we need to “rewire” ourselves.
In recent years, there has been a push to use multi-factor authentication.
Because it has been proven that the fact that someone knows a username and password is simply not enough to validate that they are who they say they are.

You need to force this multi-factor authentication mentality into everything.
Here’s what I mean:
When someone emails you that the CEO needs a wire transfer to a certain vendor, pick up the phone and call the CEO to verify it is valid.
Note: Never call the number provided in the email. Instead, use the one in your directory.
When it comes to this, it’s not “Trust but verify.”
Instead, it’s “Never trust until verified.”

Social Engineering Education

Education is probably the most effective way to avoid being misled during a social engineering attack.
The fact is
Most people simply don’t think about the bad actors.
They wouldn’t even know why or how someone would social engineer them.
These people must be educated as a first step.
Otherwise, they’ll never even begin to identify social engineering.
In fact, the Center for Internet Security (CIS) includes a security awareness training program in the 20 security controls that every organization should implement.

Training about social engineering should be part of a larger security awareness program.
Effective methods of training include sending phishing emails to employees and providing extra education to those who fail.

KnowBe4 -Security Awareness Training Platform

Most data breaches are successful only because of human error.

That is why KnowBe4 has created a tool to allow organizations to train their users before the bad guys get to them.

With hundreds of training modules and videos for all industries including regulated ones, it’s the most comprehensive training platform of its kind.

For phishing simulation, there are thousands of templates. Or you can create your own.

If you want to secure your organization, user training should be at the top of the list.

KnowBe4 is the tool to do it.

Information Sharing Policies

During your organization’s risk assessment, you should identify data that could harm your organization if it is leaked.
Of course, this would include the typical proprietary information.
But you should also think about non-compromising data that could be used with other data in a harmful way.
Here’s an example
While it may seem harmless for someone to know the extension of an employee at your organization, it could become dangerous should they know the extension of accounting.
With that knowledge, they could call pretending to be a C-Level executive.
Similarly, it would seem totally benign if someone called trying to sell your organization anti
-virus and requests to know what brand is already in place when they are declined.
But what if that was an attacker seeking to gain that information so they can create an attack that will work on your systems.
The best thing is to just not share information with person not in your organization.
Of course, that won’t always work.
So, if your policy outlines company-sensitive information, create processes that validate people are who they say they are before any information is shared.
When the ISP calls to work out a problem and ask you to remind them of your public IP address, simply tell them your policy to verify them.
Hang up.
Call back the number you have on hand for that vendor.
If it’s really them, proceed with the conversation.
This 2 Factor authentication in speaking can help prevent a lot of social engineering compromises.


Social Engineering Case


Frank Abagnale – Master of Social Engineering

Frank Abagnale may be the absolute epitome of social engineering.
He was prolific at the skill.
Abagnale was a scam artist who pretended at different times to be a pilot, doctor, and lawyer.
His book is a fabulous read, and I highly recommend you get it.
But let’s talk about one scenario.
Abagnale was being pursued by the FBI and was eventually caught in Europe.
Ultimately, he was sent to the federal prison in Atlanta.
As coincidence would have it, the US marshall who took him to prison forgot his paperwork that day.
Because prisons were under scrutiny at the time and it wasn’t uncommon for undercover inspectors to pretend to be inmates, everyone thought the US marshall forgetting his papers was a cover up.
Everyone thought Abagnale was really an inspector.
He knew he could use that to his advantage.
So, he called his girlfriend and asked her to visit.
While she was there, he asked her to pretend to be a journalist and go interview the chief prison inspector and get his business card.
She already had the FBI agent’s card from her interview with him.
Next Abagnale approached the prison superintendent and presented the prison inspector’s business card his girlfriend had obtained.
He explained that he really was an inspector and had completed his inspection.
He requested to speak to the FBI agent.
The number on the card had been changed to go to a pay phone.
Long story short, the “FBI Agent” came to the prison to discuss the investigation with Abagnale and he left the prison.
We can’t get into how he escaped the subsequent police raid, but you should check out his book as he has tons of stories that are mind-blowing.
Abagnale was a master social engineer.

Target Data Breach

Yes, the target breach that we all heard about began with social engineering.

And not even at target, but at an HVAC provider for Target.
You see
Target allowed the company that controlled its HVAC and refrigeration system to have remote access to its network.
Even worse, this was the same network with payment card information.
The HVAC company was compromised by a phishing attack and the credentials they used to access Target’s network was compromised.
The attackers were then able to pivot and steal payment information.
So, one of the largest breaches in the last decade started with social engineering.

Yahoo Breach

It was one of the biggest data breaches of all times.
But like 97% of data breaches, it started with social engineering.
In 2014, hackers looking to gain access to Yahoo’s systems began by sending spear phishing emails to mid-level employees.
One of the employees fell for it.
That’s all it took.

With this access, the attackers were able to enumerate the network and find the database and the account management tool.
Next, they were able to install tools to maintain persistent access and proceeded to copy portions of Yahoo’s database to local computers via FTP.
So, while this breach ended up being of epic proportions, it started with social engineering.
An example for all of just how bad of a breach a social engineering attack can lead to.


Social Engineering Attack


Now that you have a deep understanding of social engineering, I want to give you a few pretexts that you can make use of for a social engineering engagement.
This is by no means an exhaustive list.
You should be creative and come up with scenarios appropriate for your engagement.

Pretext Email – Critical Microsoft Security Update

Type of attack: Email
Objective: For target to open pay loaded file and gain shell access
Tools: Social Engineer’s Toolkit

For this attack, it is best if you have already established during your reconnaissance that the organization uses Microsoft products.
You will need to use SET to create a pay loaded Adobe PDF.
One that will initiate a TCP shell.
For the email, use the subject Critical Microsoft Security Bulletin.

Then, inside of the email, use something like this:
Microsoft takes the security of our applications with the utmost importance. Therefore, we proactively notify our customers of critical updates so they can be patched as soon as possible. Please find the attached file outlining the last critical update. As this is for a remote code execution vulnerability. It is paramount that you address it immediately.
Microsoft Security Team

Pretext Email – Company with cash to spend

Type of attack: Email
Objective: For target to open pay loaded file and gain shell access
Tools: Social Engineer’s Toolkit

This attack should be planned at the appropriate seasons.
If it is sent at a time that doesn’t coincide with the tax scenario, it could come off as suspicious.
However, because marketing and sales people are usually so eager to make sales, they may overlook it.
Either way, you should probably feel out the individuals before this email.
It could be a combination of vishing and emailing involved.

For the email, use something like this:
Hi, [person’s name],

Based on our conversation earlier, I wanted to follow up with a quick email.
I am with [company]. Fortunately, we’ve had a very successful year thus far. So much so that we have about $1.5 million that we are looking to spend before taxes are due. We figured it would be a good time to take care of some of those upgrades that we have been wanting to do.
Anyhow, I have attached a PDF outlining what we are looking for that we felt [attacker’s company] may be able to help us with.
Please review and let us know your thoughts.

Pretext Phone Call – Get IT to visit malicious site

Type of attack: Phone, Web
Objective: For target to open backdoored website and gain access to computer
Tools: Browser Exploitation Framework

This attack works well if you are trying to gain access to a network.
You can target someone in Helpdesk and since they sometimes have admin access on various places throughout the network, you may get a lot of return.
You will need to have set up a booby-trapped website in advance.

The call would go something like this:

Using spoofed number to appear as if someone form within the company was calling.
Hi, [person’s name],

This is [name].
I’m [C-Level Person’s] secretary.
Listen, I need some help.
[C-Level] has a meeting with this important new potential client in an hour and told me to get to this report for him.
I don’t know why it’s so important to him, but he said it has to have this data from a certain website.
Anyhow, I can’t get that website to load for anything.
I’m pretty tech illiterate, so it may be my mistake.
Can you see if you can get it to load or if it’s just me?
Ok. The URL is [URL of malicious site already set up].
[Once sure person has visited and browser exploited:]
Oh wait! It just loaded.
What did you do?
Well, whatever you did, it worked.
Thanks a lot!

This brings me to another important point.
It is important that you don’t leave your social engineering pretexts hanging.
I like to call this “closing the loop.”
What I mean is, you shouldn’t leave anything in your pretext hanging or unresolved that could arouse suspicions later.
In the case of the website pretext above, the “Oh, it just loaded” was precisely that.
It was an effort to resolve the issue so IT wouldn’t think it suspicious.

Book Recommendation

Now It’s Your Turn

So that’s some of the strategies and tools I use for social engineering.

Now I want to turn it over to you: Which of the strategies or tools from today’s guide are you going to try out first?

Are you going to practice reciprocity? Or start using SET? Do you still have a lingering question that you want to be answered?

Let me know by leaving a quick comment below right now.