Question

Before I talk about different type of social engineering attacks, I would like to take a quote from Chris Hadnagy’s book, The Science of Human Hacking. He says, “A professional social engineer's goal is to educate and assist rather than humiliate to win.” The whole purpose of this chapter is for you to understand the way most people make decisions and how to help organizations educate their end users how to recognize if someone is trying to take advantage of them for gain. Education and training is one of the most important things you can do to secure your organization, but unfortunately, one of the first things to get cut out of a budget.

If you are doing any social engineering campaign, just like any penetration test, it must be documented and permission must be given. You also have to be careful with any type of impersonation. I had a student take my Metasploit class as a result of a decision he made to internally phish his organization and impersonate a three‐letter agency. The campaign was discovered because the comptroller of the company he worked for was married to an agent for this three‐letter agency. She made a phone call to ask him if the agency was indeed being audited.

Phishing is one of the most popular ways to gain access into an organization. Through open‐source intelligence (OSINT), you know who works for the organization and the positions they are in. You know from different press releases what the company is excited about. Sometimes penetration testers use phishing for knowledge and sometimes for gain. If we are able to compromise a system with stolen credentials from a phish because we successfully extracted information from an end user, we can attempt to elevate those privileges to administrative levels, just like a bad actor would. The purpose of this type of phishing test is to leverage what we can find into what else we can find. Phishing will often take advantage of things going on either within the organization or other popular current events or disasters.

Vishing (voice phishing) is still popular, which surprises me. I never answer the phone. In fact, most people will text me if they are about to call me. Vishers use the telephone to gain access to personal or financial information. One vish I have seen in the news lately targets older people with college‐age grandchildren. With enough OSINT, criminals know enough to impersonate the grandchild and call the grandparent because they've gotten into trouble and need them to send money. If the grandchild is off to school, odds are the parents are not in constant contact. Smishing (social media phishing) sends a text message to a mobile phone to attempt to gain access to personal information with the same intention as phishing or vishing.