Security · Topic 08 of 23 · Part II — Catalog of testing methodologies

Social Engineering

The target is a person, not a system — access gained through a phone call, an email, or a physical encounter rather than a technical exploit.

Syllabus: § Testing Methodologies and Tools of the Trade (2, 4) → Social engineering
Topic 08 · Human-targeted attacks

The cheapest attack that bypasses every technical control

By the end of this topic you can:
  • Define social engineering and place it in the methodology landscape
  • Explain the psychological principles that make it effective
  • Enumerate the main attack vectors — phishing, vishing, smishing, pretexting, baiting, tailgating, quid pro quo
  • Plan an authorized social-engineering exercise with scope, pretexts, safeguards, and debrief
  • Conduct and defend physical intrusion testing with appropriate authorization and safety protocols
  • State the ethical constraints that distinguish authorized testing from harmful manipulation

What social engineering is

The deliberate use of human-to-human interaction (real or simulated) to obtain information, access, or actions to which the attacker is not entitled, by exploiting trust, authority, urgency, or other psychological levers.
Defining feature A human is in the loop. The attack targets a human decision, not a technical flaw.
Wrong framing Dismissing targets as "PICNIC" or "ID-10-T errors" is wrong and dangerous. Humans are being attacked by professionals whose entire skill is making harmful actions look legitimate.

Why it works — psychological levers

Cialdini's catalog

  • Authority. Comply with perceived experts or senior figures ("from the CEO")
  • Reciprocity. Feel obliged to return favours; a small gesture creates pressure
  • Liking / rapport. Comply more with those we find likeable; attackers build rapport first
  • Social proof. "Other employees already updated their password"
  • Scarcity / urgency. "Two hours before your account is suspended"
  • Commitment / consistency. Foot-in-the-door: small yes leads to larger yes
  • Fear. Threat of trouble, embarrassment, or loss

Modern additions

  • Curiosity. "Salary spreadsheet — final.xlsx" on a misaddressed email
  • Helpfulness. Most people want to be useful; small help requests work
  • Diffusion of responsibility. In groups, individuals are less likely to challenge a suspicious request

Targets are not stupid. Their cognitive shortcuts are being targeted on purpose, often by people doing nothing else for a living.

Attack vectors — the taxonomy

VectorHow it works
PhishingUntargeted email — extract credentials, deliver malware, or induce a harmful action
Spear-phishingTargeted, OSINT-driven pretext; much higher success rate per target
WhalingSpear-phishing of senior executives; gateway to wire-fraud and BEC schemes
VishingVoice — impersonating IT, banking, suppliers, or regulators; effective against helpdesks
SmishingSMS phishing; dominant in some regions; mobile lacks email-level security tooling
PretextingFabricated scenario: "I'm from IT, I need to reset your VPN"
BaitingUSB labeled "Salaries" in a parking lot, or an online download lure — activated voluntarily
TailgatingFollowing an authorized person through a controlled door
BECCompromised executive or supplier email redirects payments; often no malware involved
MFA fatigueRepeated push notifications until the target approves out of irritation or confusion

Planning an authorized exercise

A poorly planned exercise damages morale and erodes the trust security awareness depends on.

1Define objective
2Get authorization
3Design pretext
4Set boundaries & safeguards
5Agree stop conditions
6Debrief every target
Non-negotiable Real credentials must never reach the tester's system usably. Any payload must be inert. Authorization must be at C-suite or board level. Every targeted individual receives an honest, non-shaming debrief — the goal is to teach, not to catch.

Pretext ethics — what is and isn't defensible

Defensible patterns

  • Generic "IT password reset" or "package delivery" pretexts that mirror real attacker traffic
  • Plausible internal scenarios ("payroll update") matching what attackers actually use
  • Tests of specific control points — helpdesk reset, supplier-payment changes

Rule out (or justify carefully)

  • Impersonating real named individuals — executives or named suppliers
  • Pretexts using bereavement, illness, or family emergencies
  • Pretexts threatening employment ("HR — performance review")
  • Pretexts involving regulators or law enforcement
  • Anything that could embarrass an individual personally
Fairness test Would the most reasonable, security-aware employee recognize this as a deliberate test on debrief — and feel it was fair? If not, reconsider.

Vishing — voice social engineering

  • Caller-ID spoofing. Makes outbound calls appear to come from a legitimate number. Ethically laden; authorization must explicitly approve; regulated in some jurisdictions.
  • Live-conversation unpredictability. Real-time; improvisation is risky and testers can be caught by unexpected questions. Scripts must be rehearsed in pairs before the engagement.
  • Physical location matters. Background noise matching the pretext increases success. Tester nervousness is audible. Mock calls are essential.
  • Escalation path. Authorization documents must be physically present at the testing location. Tester must identify immediately if genuinely escalated to.
Operational rule Vishing is always performed in pairs: one caller, one observer who monitors, takes notes, and can intervene or abort.

Physical intrusion — reconnaissance and access

Passive reconnaissance (public areas only)

  • Site mapping. Entry points, camera placement, badge readers, guards — from parking lots and Street View
  • Behavioral observation. Door-propping frequency, badge-checking discipline, peak foot traffic, contractor patterns
  • OSINT applied physically. LinkedIn for org structure, naming conventions; visitor parking patterns
  • Dumpster diving. Legally varies: public garbage is typically fair game; bins behind fences are trespassing. High yield: org charts, password reset instructions, vendor names

Active access techniques

  • Tailgating. Follow authorized person through controlled door; social awkwardness keeps doors open
  • Badge cloning. Capture RFID ID at distance (Proxmark3), replay on programmable badge; fails on rolling codes / encrypted systems
  • Lock picking. Non-destructive entry; legal only with explicit authorization
  • Impersonation. Contractor, IT support, auditor pretext; authority and plausible paperwork matter
  • Fake credentials / uniforms. Impersonating actual uniformed services (police, fire) is usually criminal

Physical intrusion — authorization and safety

  • Executive sign-off: CISO + VP of Facilities. Physical security teams must be informed; surprise physical testing is extremely risky.
  • Trusted agent. Someone in or near the building who can stop the test immediately if a real incident occurs or the tester is physically challenged.
  • Rules of engagement in writing. Which areas, which methods, which deceptions, which hours. Stop conditions must be explicit.
  • If challenged: identify immediately. State the authorization, produce documentation. Never escalate, never run, never impersonate anyone.
  • Post-engagement debrief with physical security to distinguish controls that worked from failures, and to plan remediation.
Scope narrowly Physical intrusion is expensive, high-risk, and operationally complex. One building, one methodology, specific objectives — not "test the whole organization's physical security."

Defenses and what testing measures

  • Awareness training — scenario-based, role-tailored. Annual compliance clicks are ineffective.
  • Process design — verified-channel callback before unusual payments; out-of-band MFA reset confirmation; visible reporting paths for suspicious messages.
  • Technical controls — DMARC/SPF/DKIM; phishing-resistant MFA (FIDO2, passkeys); attachment sandboxing; URL rewriting; anomaly detection.
  • Culture — explicitly empower staff to question authority-looking requests; reward good-catch reports; do not punish those who fell for tests.
The deliverable Never "your employees are stupid." Always: this control fired / failed; this process can be exploited; this training category is or is not working.
Structural fix Phishing-resistant MFA (FIDO2 / passkeys) makes credentials physically unreplayable by the phishing site. "Phishing succeeded" becomes a finding about the missing control, not the employee.

Tools

Gophish Open-source phishing campaign framework. Templates, landing pages, target lists, click tracking. The dominant open-source choice.
SET — Social-Engineer Toolkit Multi-vector SE framework: phishing, payload generation, infectious media, web cloning. More attack-oriented than testing-oriented.
BeEF Browser Exploitation Framework. Hooks into browsers visiting a controlled page. Browser-side post-exploitation rather than a standalone phishing tool.

Commercial platforms (KnowBe4, Cofense, Hoxhunt, Proofpoint) are widely used for ongoing SE testing programs. The methodology is the same; the tooling is glossier.

Check — pretext ethics

Scenario

A client wants a phishing test using a pretext that impersonates their CEO by name. What concerns do you raise, and under what conditions — if any — would you proceed?

Reveal answer

Concerns: (1) ethical — using a real person's identity in a deception; (2) operational — could damage the CEO's standing if exposed publicly; (3) legal / trust — without personal authorization, risks personal litigation. Proceed only if: the CEO has personally and explicitly authorized use of their name; the pretext is generic in their voice rather than disclosing genuine personal information; the debrief makes the authorization clear; and targets are not penalized for falling for it.

Check — what to measure

Reflection

Why is reporting rate a more meaningful metric than click rate in a mature social-engineering test program?

Reveal answer

Click rate measures lure quality more than staff vigilance — better lures yield more clicks regardless of training. Reporting rate measures whether staff recognize and act, exercising the human detection sensor. A mature program treats every targeted employee as a sensor: the goal is detection, not avoidance of clicks.

What you take home

  • Social engineering targets human decisions — cheap, scalable, and bypasses technical controls
  • Seven Cialdini levers plus curiosity, helpfulness, and diffusion of responsibility explain why it succeeds
  • Vectors span phishing through spear-phishing, vishing, pretexting, baiting, tailgating, BEC, and MFA fatigue
  • Authorized exercises need C-suite sign-off, inert payloads, defined boundaries, and a non-shaming debrief
  • Pretext ethics: named-individual impersonation, bereavement, and law-enforcement pretexts require strong justification or are ruled out
  • Physical intrusion is higher-risk: VP of Facilities must authorize; identify immediately if challenged; trusted agent required on site
  • The deliverable is a finding about controls and processes — never a verdict on employees

Next: Topic 09 — Vulnerability scanning. Moving from human-targeted attacks to automated technical discovery.

END · TOPIC 08

The target is human. So is the tester.

Review the planning checklist and pretext ethics before your first authorized exercise.