Hacker Tradecraft · Volume 17
Hacker Tradecraft Volume 17 — Social Engineering Tradecraft
The human attack surface at engineer depth — the academic psychology that underwrites the technique, OSINT as the reconnaissance phase, pretexting as the operational core, the phishing / vishing / smishing delivery channels, physical entry, and the layered defense model that has to assume every other control will eventually fail
Contents
1. About this volume
This is the fifth and final volume of the reference cluster (Vols 13-17) and closes the cluster on the side of the practice that the engineering volumes have been pointing at the whole time. Vol 13 covered SDR and sub-GHz at I/Q and receive-chain depth; Vol 14 covered the 2.4 / 5 / 6 GHz Wi-Fi and BLE attack surface; Vol 15 closed the RF half with LF / HF RFID, NFC, and the access-control card ecosystem; Vol 16 opened the non-RF half with physical-access computer hacking — HID injection, keyloggers, the Hak5 implant family. This volume covers the human attack surface — the techniques by which an operator (or a criminal, or a state actor) manipulates a person into disclosing information, granting access, or running a payload. It is the layer that ties the other four together at the engagement level. Pure-RF engagements happen, and pure-physical-implant engagements happen, but the modal modern engagement chains social engineering with one or both of the technical halves.
The reader — tjscientist, a 45-plus-year EE and software engineer — already knows the rough shape of the field, has read the canonical Mitnick book at some point, and has watched the DEF CON Social Engineering CTF write-ups when they were fresh. What this volume does is wrap the social-engineering category in the security-research framing that the rest of the cluster has been deferring here, set it on the academic foundations the practitioner literature draws on (Cialdini for the influence principles; Kahneman for the cognitive-bias literature; Hadnagy for the practitioner adaptation; Mitnick for the field-account tradition), give the per-channel delivery patterns at the level of fidelity an engineer wants, and frame the defender’s view at the same depth as Vol 16 §7 and Vol 10 §3 treat the host-and-network defender’s view.
Reference-cluster role. Like Vols 13-16, every H2 heading in this volume becomes a frozen vol17-<heading-slug> anchor at first commit. The headings are deliberately chosen to be time-stable (5-12 words, slug-friendly, no / or & characters — the Vol 11 RF/HID slug-collision lesson now applies cluster-wide). Other Hack Tools deep dives deep-link into these anchors as HackerTradecraft_Complete.html#vol17-<slug>. The primary inbound cross-references are from inside the series: Vol 7 §4 treats social engineering as the black-hat criminal-economy’s dominant initial-access vector; Vol 11 §4 treats it as the red-team operator’s principal foot-in-the-door technique during sanctioned engagements; Vol 10 §3 and Vol 12 §4 treat the blue-team and purple-team defender’s view; Vol 16 §6 treats SE as the connective tissue between the recon and physical-implant stages of the combined-workflow chain. The outbound cross-references go to the tool deep dives where the technical delivery happens — the WiFi Pineapple deep dive for the rogue-AP / captive-portal delivery stack, the Ducky Script deep dive for the HID-injection payload that the SE pretext lands.
What this volume does and does not duplicate. This volume covers the human-attack-surface methodology at engineer depth. It does not re-derive the rogue-AP technical stack that delivers a phishing landing page from a Pineapple — that’s the WiFi Pineapple deep dive’s job — and it does not re-derive the DuckyScript payload language that an attacker types at machine speed after a successful pretext gets them five seconds at the keyboard — that’s the Ducky Script deep dive’s job. What it covers is the layer between those technical halves and the human: why a person clicks the link, what makes a pretext work, how a campaign is run from recon through cash-out, what a defender does about it, and where the legal lines fall.
Posture, up front. Every technique catalogued here is dual-use. The principles of influence in §2 are taught in every business-school marketing course because persuasion is a legitimate skill; the OSINT techniques in §3 are taught in every journalism and investigative-research course because gathering public information is a legitimate skill; the pretexting taxonomy in §4 is the working method of every authorized red-team operator and every undercover law-enforcement agent. None of them is illegal in the abstract. What is illegal is the specific combination: applying these techniques against a system, organization, or individual without authorization, to induce a harm — disclosure of information that should not have been disclosed, transfer of funds that should not have been transferred, access to systems that should not have been granted. The U.S. statutory framework that governs the harms catalogues them across the Computer Fraud and Abuse Act (18 U.S.C. § 1030),1 the federal wire-fraud statute (18 U.S.C. § 1343),2 the Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.),3 and the Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028). State-law analogs add their own layer (California Penal Code § 502, New York Penal Law § 156, every state’s analog), and outside the U.S. the equivalent statutes are typically the Computer Misuse Act 1990 (UK), the Strafgesetzbuch §§ 202a-202c (Germany), the Cybercrime Act 2001 (Australia), the Council of Europe Cybercrime Convention’s domestic implementations. The legal frame is identical to the lines drawn in Vol 16 §7 and the project-wide legal_ethics.md: own the systems you’re testing, or have written authorization, or stay on the defender’s side of the line. There is no “research” exception. Vol 19, when authored, will treat the full statutory framework at depth.
2. The psychology — principles SE exploits
Social engineering is the applied end of a deep academic literature on human influence and decision-making that long predates the security field. The technique catalog in §4 and the delivery channels in §5 work because people make decisions in characteristic, predictable ways under characteristic, predictable circumstances — and the patterns the social-engineering practitioner exploits are the same patterns that legitimate marketers, salespeople, fundraisers, undercover law-enforcement, intelligence-service handlers, lawyers, doctors, teachers, and parents have been using (with various justifications, various stakes, various transparency) for as long as humans have been persuading each other. This section walks the foundational academic frame (§2.1), the urgency / cognitive-load layer that distinguishes SE manipulation from neutral persuasion (§2.2), the Hadnagy practitioner adaptation (§2.3), the substantive table mapping each principle to its SE attack form (§2.4), and the reason knowing the principles does not make a person immune (§2.5).
2.1 Cialdini’s six principles of influence — the academic foundation
Robert Cialdini’s Influence: The Psychology of Persuasion was first published in 1984 and is now in its revised expanded edition (Harper Business, 2021 reissue with a seventh principle, “Unity,” added).4 The book consolidated three years of Cialdini’s “undercover” fieldwork — he took entry-level training jobs at used-car dealerships, fundraising operations, and telemarketing firms specifically to observe practitioners of persuasion at work — and identified six recurring psychological patterns that effective persuaders exploit and ineffective ones miss. The six principles have become the de facto organizing framework for the entire field. They are taught in business schools as the canonical marketing primer; they are taught in security-awareness training as the canonical SE primer; they appear in essentially every published social-engineering practitioner manual since Hadnagy’s 2010 first edition. The six (in Cialdini’s ordering):
Reciprocity. People who receive a gift, favor, or concession from another person feel a culturally-ingrained obligation to reciprocate. The mechanism is so robust that even unsolicited and unwanted gifts trigger it — Cialdini’s classic example is the Hare Krishna airport-fundraising operation in the 1970s, where the gift of a flower (unrequested, frequently unwanted, sometimes thrown in a nearby trash can within seconds) sufficed to substantially increase the rate at which the target made a subsequent donation. In SE terms: an attacker who has done a small favor for a target (helped carry a box, held a door, dropped off coffee, provided “free” IT advice) has loaded the target’s psychological balance sheet with a debt that the target’s cultural conditioning will push them to discharge. The favor that triggers reciprocity costs the attacker little; the access or information that discharges it can be worth a great deal.
Commitment and consistency. Once a person has committed to a position — even verbally, even tentatively — they feel an intense pressure to behave in ways consistent with that commitment. The mechanism is rooted in the deep human need to view oneself as a coherent, integrated, stable person. Cialdini’s classic example is the “foot in the door” sales technique: get the customer to agree to a small request first (sign a petition, accept a free trial, agree that safety is important); the larger ask that follows leverages the customer’s now-active need to behave consistently with the small commitment they have just made. In SE terms: an attacker who has gotten a target to confirm “yes, I’m Bob in the IT department, and yes, we use Active Directory” has primed the target to behave consistently with the implicit framing that the attacker is a legitimate party to that conversation — making the subsequent ask (“could you read me your username and the last four characters of your password so I can verify the AD record on my end?”) substantially more likely to land.
Social proof. People look to others’ behavior to determine appropriate behavior, particularly in ambiguous situations. The mechanism is the cognitive shortcut that says if everyone else is doing this, it must be a reasonable thing to do. Cialdini’s classic example is the canned-laughter track on television comedies — viewers laugh more when other (recorded) people are laughing, even though they consciously know the laughter is canned and the response is mechanical. In SE terms: an attacker who can construct a plausible appearance that other people in the target’s organization have already complied with a request (“most of your department has already submitted the form; can you do yours by EOD?”) leverages the same shortcut. The phishing email that says “ten of your colleagues have already completed the security training; please complete yours” is exploiting social proof; the in-person pretext that name-drops a senior colleague who supposedly “already approved this approach” is exploiting social proof.
Authority. People defer to authority figures. The deepest experimental evidence for this principle is Stanley Milgram’s obedience-to-authority experiments at Yale in the early 1960s,5 in which subjects were instructed by a white-coated experimenter to deliver what they believed to be increasingly painful electric shocks to a confederate; the subjects’ willingness to continue shocking despite the confederate’s apparent suffering, on the bare authority of the experimenter, was both far higher than experts had predicted and durable across decades of subsequent replications. The lesson Cialdini draws is that uniform, title, certification, and the appearance of authority routinely produce compliance with requests that would be refused on the requestor’s individual merits. In SE terms: the attacker who shows up in a high-visibility safety vest, the attacker who claims to be “calling from corporate legal,” the attacker who carries a clipboard and a confident bearing — all are leveraging the authority shortcut. The pretext layer in §4 is largely the discipline of appearing legitimate enough to invoke the authority shortcut.
Liking. People are more willing to comply with requests from people they like. The mechanism is straightforward and the inputs to liking are well-catalogued: physical attractiveness, similarity to the target (shared background, shared interests, shared dialect, shared profession), compliments, cooperation toward a shared goal, association with positive things. The Tupperware home-party operation Cialdini analyzed in Influence is built end-to-end on liking — the seller is a friend of the host, the gathering is a social event, the purchases are made in the context of relationships rather than transactions, and the resulting sales rate dwarfs cold-calling. In SE terms: an attacker who has done OSINT homework on the target (“I see we both went to Northeastern!”; “I’m also a Bruins fan!”) is exploiting similarity-based liking; the attacker who pays attention to the target, asks personal questions, mirrors body language, and offers genuine-seeming compliments is exploiting interpersonal liking. The pretext that succeeds is often the pretext that the target likes the person delivering.
Scarcity. Opportunities appear more valuable to people when they are limited in availability. The mechanism connects to psychological reactance (people don’t like having choices removed) and to the heuristic that scarce things are typically valuable. Cialdini’s classic example is the “limited-time offer” advertising technique, but the principle generalizes. In SE terms: the phishing email that says “this offer expires in 24 hours” is exploiting scarcity; the vishing call that says “the audit team is here right now, and they need this confirmation in the next ten minutes” is exploiting scarcity-as-urgency; the “you’ve been chosen for early access to this beta program” pretext is exploiting scarcity-as-exclusivity.
The 2021 expanded edition adds Unity — the sense of shared identity between persuader and target — as a seventh principle.6 In Cialdini’s framing, Unity is the deepest form of similarity-based persuasion: not “we have things in common” but “we are the same kind of person.” The “I’m calling from the IT department; we’re all on the same team here” pretext is exploiting Unity; the in-group / out-group dynamics of organizational psychology are the Unity principle at scale. For most practical SE analysis purposes the six classical principles plus the urgency / cognitive-load overlay in §2.2 below capture the working set; Unity is a refinement that sometimes adds explanatory power for in-group pretexts.
2.2 Urgency and cognitive load — the meta-principles
Beyond Cialdini’s six, two further patterns recur in essentially every SE attack and deserve named treatment because they are the mechanism by which the six principles are operationalized:
Urgency / time pressure. A target who has time to think will frequently see through a pretext that would have succeeded against the same target under time pressure. The mechanism, which Daniel Kahneman framed in Thinking, Fast and Slow (2011)7 as the System 1 / System 2 distinction, is that careful analytical reasoning (Kahneman’s “System 2”) is slow, effortful, and easily suppressed by competing demands on attention. Fast, heuristic, pattern-matching reasoning (Kahneman’s “System 1”) is what runs in time-pressured situations — and System 1 is exactly the mode in which Cialdini’s six principles produce the strongest compliance, because System 1 is the mode that runs on shortcuts and social heuristics rather than careful deliberation. Time pressure is, in this sense, a meta-principle — it suppresses the very cognitive machinery that would let the target catch the manipulation. The dominant phishing-email opening is some variant of “your account will be locked in 24 hours unless…” for exactly this reason. The dominant BEC opening is some variant of “the CEO needs this wire transfer processed before close of business today” for exactly this reason. The vishing call that opens “I’m sorry, I’m calling from the IT department, your laptop has been flagged as compromised and we need to remediate it before you log out for the day, do you have a few minutes?” weaponizes urgency twice — the flagged-as-compromised framing and the before-you-log-out framing both shrink the available analytical window.
Cognitive load. A target whose attention is divided, who is tired, who is interrupted in the middle of another task, or who is operating under emotional stress makes worse decisions than they would in their analytical baseline. The mechanism is closely related to the urgency mechanism — both shrink the System 2 budget — but it operates through different inputs. The phishing campaign that is timed to arrive Friday afternoon, the vishing call that interrupts a target in the middle of a meeting, the in-person pretext delivered to a target whose laptop is also dinging with notifications and whose phone is also ringing — all leverage cognitive load. The practitioner literature is consistent that Tuesday and Wednesday morning are the worst windows for phishing-campaign success and Friday afternoon, Monday morning, and the day before a holiday are the best. The same person is harder to fool on Tuesday morning than on Friday afternoon, not because they have learned anything in the intervening days but because their cognitive load is different.
Together, urgency and cognitive load explain why the same person who would have caught the pretext in a controlled lab setting routinely falls for it in their actual work environment. The defender’s intuition that “I would never fall for that” is approximately right in the lab and approximately wrong in the wild — the wild has urgency and cognitive load that the lab does not.
2.3 The Hadnagy practitioner adaptation
Christopher Hadnagy’s Social Engineering: The Art of Human Hacking (Wiley, 2010; second edition retitled Social Engineering: The Science of Human Hacking, Wiley, 2018)8 is the canonical practitioner adaptation of the academic literature to the security-research context. Where Cialdini wrote for a general business / marketing audience, Hadnagy wrote for the authorized red-team operator and the corporate security trainer; where Cialdini catalogued principles, Hadnagy catalogued the operational discipline of running an engagement that exploits them. The Hadnagy frame established several conventions that subsequent SE literature has largely adopted:
- The SE engagement is a campaign, not an incident. It has a planning phase, a recon phase, an execution phase, an exit phase, and a reporting phase — the same structure as any other red-team engagement. The lone attacker firing off a one-off phishing email is the limit case, not the central case.
- Pretext quality is the single biggest predictor of success. A well-researched, plausible, internally-consistent pretext succeeds against most targets; a thin, generic pretext fails against most targets even when the technical delivery (the email template, the spoofed caller ID, the lobby badge) is identical. The recon phase in §3 exists to feed the pretext.
- The target’s emotional state at the moment of contact matters more than the target’s intelligence, training, or seniority. Senior executives, CISOs, and security-cleared personnel fall for SE at comparable rates to entry-level staff when the pretext is well-crafted and the timing is well-chosen. Training reduces the rate but does not eliminate it; experience does not confer immunity (see §2.5).
- The campaign reporting is the security value, not the access obtained. An authorized SE engagement’s purpose is to produce data on the organization’s susceptibility, not to obtain credentials per se. The credentials are the proof of concept; the report is the deliverable.
Hadnagy founded Social-Engineer LLC (the consulting firm) and the Social-Engineer.org community website, both of which remain reference fixtures in the field, though Hadnagy himself departed both organizations in 2022 amid public controversy.9 The methodology framework he established remains the canonical practitioner reference and is reproduced (with various refinements) in subsequent SE manuals including Cody Williams’s Phishing Dark Waters and the SANS SEC567 Social Engineering for Security Professionals curriculum.
Figure 17.1 — Kevin Mitnick at Campus Party México in 2010. Photo: File:Kevin Mitnick ex hacker y ahora famoso consultor en redes en Campus Party México 2010.jpg by Campus Party México. License: CC BY 2.0 (https://creativecommons.org/licenses/by/2.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AKevin%20Mitnick%20ex%20hacker%20y%20ahora%20famoso%20consultor%20en%20redes%20en%20Campus%20Party%20M%C3%A9xico%202010.jpg).
The deeper Mitnick reference is The Art of Deception: Controlling the Human Element of Security (Wiley, 2002),10 co-authored with William L. Simon and with a foreword by Steve Wozniak. The book is structured as a sequence of fictionalized field accounts of pretext-based attacks — each chapter walks a single attack from setup to payoff, then breaks down the principles that made it work and the controls that would have stopped it. The format established the practitioner-narrative tradition that the Hadnagy book then formalized into a methodology framework. The Art of Intrusion (Wiley, 2005) and Ghost in the Wires (Little, Brown, 2011) complete the Mitnick canon.
2.4 The principles-to-attacks table
The mapping between the academic principles and their working SE attack forms, in tabular form:
CIALDINI'S SIX + URGENCY/COGNITIVE LOAD
───────────────────────────────────────
┌─────────────────┐
│ THE TARGET │
│ (System 1 │
│ thinking when │
│ under pressure)│
└────────┬────────┘
│
┌─────────────────────┼─────────────────────┐
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ RECIPROCITY │ │ COMMITMENT/ │ │ SOCIAL PROOF │
│ │ │ CONSISTENCY │ │ │
│ "Here's a │ │ "You agreed │ │ "Most of your │
│ small favor; │ │ to the small │ │ team has │
│ now this │ │ thing; now │ │ already done │
│ larger ask" │ │ the larger" │ │ this" │
└───────────────┘ └───────────────┘ └───────────────┘
│ │ │
▼ ▼ ▼
┌───────────────┐ ┌───────────────┐ ┌───────────────┐
│ AUTHORITY │ │ LIKING │ │ SCARCITY │
│ │ │ │ │ │
│ Uniform, title│ │ Similarity, │ │ "Limited │
│ certification │ │ shared │ │ time only"; │
│ "I'm from │ │ background, │ │ "Only N seats │
│ IT" │ │ compliments │ │ left" │
└───────────────┘ └───────────────┘ └───────────────┘
│
▼
┌───────────────────────────────────────┐
│ URGENCY + COGNITIVE LOAD │
│ (the meta-layer that suppresses │
│ System 2 and lets the above land) │
└───────────────────────────────────────┘Figure 17.2 — The Cialdini six plus the urgency / cognitive-load meta-layer. Each of the six core principles produces compliance through a distinct mechanism; the urgency / cognitive-load layer is what shapes the conditions under which the mechanisms reliably fire. An SE attack that combines two or three of the principles under sustained urgency / cognitive-load conditions is dramatically more effective than the same attack with any single principle invoked under calm conditions. The defender’s two main paths are (a) reduce the urgency / cognitive-load conditions under which decisions are made (mandatory wait periods, callback verification, four-eyes review) and (b) raise the target’s awareness of the principles enough that recognition kicks in faster than the urgency-driven response.
| Cialdini principle | Mechanism | Canonical SE attack form | Concrete pretext example |
|---|---|---|---|
| Reciprocity | Cultural obligation to repay favors | Attacker provides small favor before the ask | ”I covered your shift last month, I just need a quick favor — can you reset this password for me?” |
| Commitment / consistency | Need to behave consistently with prior commitments | Foot-in-the-door: small confirm → larger ask | ”You’re Bob in accounting, right? Good. Bob, can you walk me through the wire-transfer approval process?” |
| Social proof | Looking to others’ behavior for cues | Reference to peers’ compliance | ”Most of your department has already submitted the form” / “Your manager already approved this approach with me yesterday” |
| Authority | Deference to perceived authority | Uniform, title, claimed senior role | ”I’m calling from corporate legal” / “I’m with IT security; we have an urgent issue” / High-vis vest + clipboard in the lobby |
| Liking | Greater compliance with liked persons | Similarity, compliments, attention | ”I see you also went to State! Class of ‘04? Me too!” / Mirror language; ask about personal interests from OSINT |
| Scarcity | Limited-availability = valuable | Time-limited or limited-seat framing | ”This offer expires in 24 hours” / “We can only fit two people in this audit window; can you do tomorrow at 9?” |
| Unity (7th, added 2021) | Shared in-group identity | ”We’re all on the same team here” framing | ”I’m calling from your sister office in Atlanta; we’re all on the same team. Quick question…” |
| Urgency (meta) | Suppresses System 2 analytical thinking | Time-pressure framing layered on any of above | ”…and they need this before close of business” / “…within the next ten minutes” / “…before the audit team leaves” |
| Cognitive load (meta) | Reduces analytical-thinking budget | Timing the attack to load-heavy moments | Phishing campaign timed for Friday afternoon; vishing call during a target’s known meeting block |
Table 17.1 — The Cialdini six plus the two meta-principles, mapped to their canonical SE attack forms with concrete pretext examples. The table is deliberately not exhaustive on the example column — any one principle can be operationalized in dozens of pretext variants, and the practitioner literature (Hadnagy 2018, Mitnick 2002) catalogues many of them. What the table captures is the mechanism-to-attack-form mapping that every SE attack is built from. A campaign that fires multiple principles simultaneously under urgency is dramatically more effective than any single-principle attack — the BEC wire-transfer email that combines Authority (“from the CEO”), Urgency (“by end of business today”), and Liking-via-Unity (“the team is counting on this”) is hard to defeat with awareness training alone.
2.5 Why knowing the principles does not make a person immune
The unsettling result that the academic literature is consistent on: knowing the principles does not make a person resistant to them. Engineers, security researchers, CISOs, and trained pentesters fall for social engineering at rates that are reduced by training and experience but not eliminated. The Verizon DBIR 2025 data points the field at consistently: ~16% of all breaches in 2025 had phishing as the initial-access vector,11 and ~60% of confirmed breaches involved a human action (clicking, calling, talking, sending) somewhere in the kill chain. Within phishing-simulation data specifically, the “click rate” against employees with no recent training is around 5%, and against employees with recent training it drops to about 1-2% — meaningful improvement, but never zero. Report rate (the rate at which targeted employees report the suspicious message to the security team) is the better metric and trains higher: trained employees report at around 21%, untrained at around 5%.12
Several mechanisms drive the persistent susceptibility:
- The principles are cognitive shortcuts that exist because they are usually right. Most authority figures are legitimately authority figures; most claims of urgency do track real urgency; most people who say they are from IT are in fact from IT. The shortcuts evolved because they save cognitive resources in the vast majority of cases. Suppressing them entirely is cognitively expensive and creates large false-positive rates in legitimate interactions.
- Awareness training decays rapidly. The empirical literature is consistent that the half-life of awareness training is on the order of 4-6 months. Annual or one-off training is essentially exhausted by the time the next training cycle comes around. Continuous-simulation programs (monthly phishing exercises) are more effective specifically because they refresh the awareness in roughly the timeframe the half-life imposes.
- The technical attacker can iterate faster than the defender’s training cycle. Phishing-page generators, voice-cloning AI (post-2023), and OSINT automation all let an attacker produce a new high-fidelity pretext faster than the security-awareness program can update its training. The defender’s signal is always slightly stale relative to the current attack pattern.
- Self-perceived expertise creates over-confidence. The security professional who knows they are too smart for the standard phishing template is exactly the target of the spear-phishing template that knows their conference talk, their colleague’s first name, and the project they are currently working on. Hadnagy’s working observation: “the people most likely to fall for spear phishing are the people most confident they would not fall for phishing.”
The implication for the defender’s posture is in §7 — awareness training is necessary but not sufficient; layered technical controls and process controls (callback verification, four-eyes review on financial actions, DMARC / DKIM / SPF for email, URL rewriting, etc.) must shoulder the load that training cannot.
3. OSINT — the reconnaissance phase
OSINT — Open-Source Intelligence — is the reconnaissance phase that feeds every targeted SE attack. The principle is straightforward: a pretext that references specific, verifiable, internal details of the target organization or person is dramatically more convincing than a generic pretext, and those specific verifiable details are routinely available in public sources to anyone willing to do the work. This section walks the source categories (§3.1), the modern OSINT toolchain (§3.2), the Bellingcat methodology lineage (§3.3), the OPSEC layer that the OSINT collector themselves needs (§3.4), and the substantive table (§3.5).
3.1 The OSINT source categories
OSINT decomposes cleanly into four source categories, each with its own collection techniques and its own typical findings:
Public records. Government filings (corporate registration, court records, property records, election filings), regulatory disclosures (SEC EDGAR for public companies, FDA filings for medical devices, FCC filings for radio licenses, FAA registrations for aircraft and drones), news archives, conference proceedings, academic publications, court dockets. The combination of public records yields the target’s corporate structure, ownership, leadership, financials (for public companies), regulatory posture, litigation history, and the names and roles of senior people. The U.S. ecosystem is particularly rich — SEC EDGAR is fully searchable and free, PACER provides federal court records at modest per-page charges, state-level corporate registries are typically web-accessible. The EU’s beneficial-ownership registers (under the AMLD5 / AMLD6 directives) add another layer; international corporate registries are well-indexed by services like OpenCorporates.
Social media and personal sites. LinkedIn is the dominant single source for professional OSINT — role, employer, employment history, skills, endorsements, organizational chart inference (from “who is connected to whom” and “who works under whom”). Twitter / X provides real-time signal on interests, opinions, current activities, professional network. Facebook and Instagram provide personal-life signal (family, hobbies, vacations, social network). GitHub provides technical-skill signal and frequently exposes employer details, project work, and (occasionally) accidentally-committed credentials. Personal websites, blogs, podcasts, and conference talks provide deeper context on technical specialization and current focus. The aggregation across platforms is what produces the high-fidelity target profile — any single platform produces a partial picture, the union produces a comprehensive one.
Technical footprint. DNS records (forward, reverse, MX, TXT, SPF, DMARC), certificate transparency logs (which leak subdomain names systematically), Shodan and Censys (which scan and catalogue Internet-exposed services with their banners and versions), passive DNS aggregators (DNSDB, SecurityTrails), HTTP / TLS metadata, BGP routing tables, ASN registrations. The technical footprint reveals the organization’s infrastructure surface — what mail server they use, what cloud provider, what web frameworks, what versions, what subdomains exist (and what infrastructure they front), what their external attack surface looks like from an Internet vantage point. Shodan in particular is the canonical “search engine for Internet-exposed devices” — Shodan was founded by John Matherly in 200913 and remains the dominant tool in its category. Censys (founded 2013 as a Michigan-University spinoff of the original ZMap research)14 is the principal competitor with a more research-oriented data model.
Human network. Conference attendance lists (publicly posted), conference speaker lists (publicly posted), professional association memberships, university alumni directories, charity board memberships, sports league rosters, hobbyist forum participation. The human-network category is the deepest and the most subtle — it produces the similarity signals that the Liking principle (§2.1) operationalizes, and the connection signals that let an attacker construct a plausible “I’m a friend of so-and-so” pretext. It also produces the behavioral pattern signals — where does the target work out, what conferences do they attend, what is their typical commute — that physical-entry pretexts (§6) rely on.
3.2 The OSINT toolchain
A handful of tools dominate the modern OSINT working set:
Maltego. Maltego is the canonical link-analysis OSINT platform. Built by Paterva (Roelof Temmingh, founded 2007),15 Maltego renders OSINT data as a graph of entities (people, organizations, domains, IP addresses, email addresses, etc.) connected by transforms (operations that take an entity and produce related entities — “give me the subdomains of this domain,” “give me the email addresses for this person,” “give me the certificate-transparency entries for this IP block”). The community edition (Maltego CE) is free and covers a useful baseline of transforms; the commercial editions (Maltego Pro, Maltego Enterprise) add paid data sources and higher-volume transform support. Maltego’s value proposition is that the graph representation makes connections across data sources visible in a way that table-based analysis does not — the central tool for any OSINT investigation that involves more than ~20 entities.
SpiderFoot. Steve Micallef’s SpiderFoot is the canonical open-source OSINT-automation framework. SpiderFoot (originally released ~2012-2013, acquired by Intel 471 in November 2022)16 runs ~200+ modules in parallel against a target seed (domain, IP, email, name, etc.), pulling from public data sources (Shodan, Have I Been Pwned, certificate transparency, social media, DNS, breach databases, dark-web sources) and consolidating the results into a structured report. The open-source edition is free; SpiderFoot HX is the commercial hosted version with deeper data-source integration. SpiderFoot complements Maltego — SpiderFoot is the automation breadth, Maltego is the interactive depth.
Recon-ng. Tim Tomes’s Recon-ng is the modular CLI OSINT framework in the SET / Metasploit lineage — a Python framework with a command-line interface and a plug-in module architecture, organized around recon workflows. Recon-ng is the practitioner’s “scriptable OSINT toolkit” — useful for repeatable engagement workflows that need to be re-run, integrated into larger pipelines, or run unattended on a long timeframe.
theHarvester. Christian Martorella’s theHarvester is the email-and-subdomain enumerator — given a domain, theHarvester queries search engines, certificate transparency logs, DNS, social-media APIs, and a number of other sources to enumerate email addresses associated with the domain, subdomains, hostnames, and the like. The most-cited single-purpose OSINT tool in pentest curricula. Bundled with Kali Linux.
Sherlock. Username-enumeration across hundreds of social-media platforms. Given a username (or candidate username), Sherlock attempts profile-existence checks on ~400+ social platforms and reports where the username is registered. The canonical “find every social-media account a target has under their preferred handle” tool.
Have I Been Pwned (Troy Hunt). Troy Hunt’s HIBP is the canonical breach-data aggregator — given an email address, HIBP reports which public breach corpora contain that address and (in some cases) what associated data was exposed. Indispensable for “is this email address in the credential-stuffing ecosystem?” determinations, both for OSINT and for the defender’s-side credential-hygiene check.
Hunter.io. Email-format inference for a domain. Given a domain (e.g., acmecorp.com), Hunter.io reports the dominant email-format pattern for that domain (firstname.lastname@acmecorp.com, firstinitial+lastname@acmecorp.com, etc.) inferred from observed public email addresses, and lets the operator generate plausible email addresses for individuals at the organization given just their name. The canonical tool for “I know the target’s name and employer; what’s their email address probably?”
Wayback Machine (Internet Archive). The historical-snapshot record. Useful for reconstructing pages that have since been changed or deleted, recovering org charts that have been pulled, finding old employee lists, etc. The OSINT collector’s “see what they used to say before they took it down” tool.
The practitioner workflow typically chains these tools — Maltego as the central canvas, with transforms pulling data from SpiderFoot / theHarvester / Shodan / certificate-transparency / breach databases / social media, and Recon-ng running scripted workflows for repeatable cases. The end product is a target profile rich enough to construct a high-fidelity pretext.
3.3 The Bellingcat methodology lineage
Bellingcat — founded by Eliot Higgins in July 201417 — is the most-cited modern reference for OSINT methodology (as distinct from OSINT tools). Bellingcat began as a citizen-journalism / open-source-investigation collective focused initially on the Syrian civil war and subsequently expanded to cover (among others) the MH17 shootdown investigation, the Russian Federal Security Service Skripal-poisoning operation, multiple election-interference investigations, and the systematic identification of Russian military units operating in Ukraine post-2022. The methodology Bellingcat has codified — geolocation of photos and videos by visual matching against satellite imagery, chronolocation by sun position and shadow analysis, identification of military units by uniform / insignia / vehicle markings, social-media-account analysis to attribute pseudonymous content to identifiable individuals, and the systematic open-publishing of methodology so that findings can be independently verified — has substantially shaped how modern OSINT practitioners work.
The Bellingcat lineage matters for SE-OSINT specifically because Bellingcat’s methodology discipline — document your sources, show your work, make your findings independently reproducible — is the same discipline that distinguishes an authorized SE engagement’s reconnaissance phase (which produces a reportable evidence trail) from a criminal reconnaissance phase (which deliberately avoids leaving a trail). The defender’s OSINT-against-themselves discipline (regularly running OSINT collection on your own organization to find what an attacker would find) also draws on the Bellingcat methodology toolkit.
Bellingcat publishes its methodology openly at https://www.bellingcat.com/category/resources/ and the Online Investigation Toolkit maintained by Bellingcat’s research team has become the canonical reference for new OSINT practitioners. The OSINT-Framework (osintframework.com), maintained by Justin Nordine, is the canonical catalogue of OSINT tools organized by category — the working reference for “what tool exists for collecting X.”
3.4 OPSEC for the OSINT collector
The OSINT collector themselves needs operational security — both to avoid tipping off the target that a reconnaissance phase is underway and to protect the collector’s identity if the engagement is sensitive. The canonical OPSEC stack for OSINT work:
- Network egress through a VPN or proxy chain. The collector’s home IP address should never appear in the target organization’s web-server access logs, the target individual’s LinkedIn “who viewed your profile” panel, or anywhere else the target might see. A commercial VPN (Mullvad, IVPN, Proton VPN) is the baseline; Tor for sensitive cases (though Tor’s exit-node fingerprint is itself a signal); residential-proxy services for cases where the target organization filters known VPN ranges.
- Sock-puppet accounts. Social-media accounts created specifically for OSINT use, not the collector’s personal accounts. LinkedIn, Twitter / X, Facebook, GitHub each get their own sock-puppet with a plausible cover identity, an established history (at least a few months of “normal” activity before being used for the OSINT engagement), and ideally a few mutual connections in the target’s broader industry to reduce the “this profile is suspicious” signal. The sock-puppet should never be used from the collector’s normal browser session or device — separate browser profile minimum, separate machine or VM preferred.
- Browser hardening. Separate Firefox or Chromium profile per engagement, with adblock + tracking-protection enabled, JavaScript locked down where possible, no logged-in accounts that could cross-contaminate. The standard “browser fingerprint” countermeasures (canvas fingerprint randomization, font fingerprint normalization, WebRTC IP leak prevention) where the engagement warrants.
- Logging and chain-of-custody. For authorized engagements, every action should be logged for the eventual report — what was searched, when, what was found, what was preserved. The Wayback Machine submission (“snapshot this URL right now”) is the standard mechanism for capturing the state of a public page at the moment of observation; archive.today is the second-choice mirror that captures pages the Wayback Machine doesn’t.
The OPSEC stack is the OSINT-collector’s analog to the red-team operator’s infrastructure-OPSEC in Vol 11 §3 — different threat model (collector-identification rather than payload-attribution), same principle (assume your activity is being logged somewhere; design the engagement so the logged activity does not give you away).
3.5 The OSINT source-and-tool table
| Source category | Concrete sources | Tools | Typical findings |
|---|---|---|---|
| Public records | SEC EDGAR; PACER; state corporate registries; OpenCorporates; news archives | OpenCorporates web search; LexisNexis; Wayback Machine | Corporate structure, leadership, financials, litigation, regulatory posture |
| Social media — professional | LinkedIn; GitHub; Stack Overflow; conference speaker lists; podcast appearances | LinkedIn search; GitHub search; Sherlock for handle correlation | Role, employer, employment history, skills, organizational chart inference, technical specialization |
| Social media — personal | Twitter / X; Facebook; Instagram; TikTok; Reddit; personal blogs | Sherlock; OSINT-Framework’s social-media category; manual platform search | Interests, hobbies, family, current activities, geographic location, opinion / political alignment |
| Technical footprint | DNS records; certificate transparency; Shodan; Censys; passive DNS; HTTP / TLS metadata | dig / dnsrecon; crt.sh; Shodan; Censys; SecurityTrails | Mail servers, cloud providers, web frameworks, software versions, subdomain inventory, external attack surface |
| Breach data | Have I Been Pwned; Dehashed; LeakCheck; the various dark-web breach corpora | HIBP API; Dehashed search | Past credential exposure; password-reuse signal; account linkages across breaches |
| Email enumeration | Domain email-format inference; public email-address harvesting | Hunter.io; theHarvester; phonebook.cz | Email addresses associated with target organization; format pattern for generating plausible new addresses |
| Human network | Conference attendance lists; alumni directories; professional association rosters; sports league rosters; charity board memberships | Manual search; LinkedIn second-degree connection analysis; Maltego transforms | Connection graph; similarity signals for Liking pretexts; “I know your colleague X” attack vectors |
| Geolocation / chronolocation | Photos + satellite imagery; metadata extraction; sun-position analysis | Bellingcat methodology toolkit; SunCalc; Google Earth Pro; ExifTool | Physical location confirmation; time-of-day inference; “when was this taken” determination |
| Email-format harvesting (organization-level) | Public corporate email addresses; press releases; news mentions | Hunter.io’s “domain” report; theHarvester | Dominant email format for the organization (firstname.lastname@..., flastname@..., etc.) |
Table 17.2 — The OSINT source-and-tool catalogue. The categories overlap deliberately — a target profile is built by triangulating across categories. The technical-footprint category is the most “RF-adjacent” — Shodan and certificate transparency are the OSINT analog to the Wi-Fi scan and the sub-GHz capture in Vols 13-14. The human-network category is the deepest and the most labor-intensive — it produces the similarity and connection signals that the highest-fidelity pretexts in §4 require, and it is the category most resistant to automation.
4. Pretexting — building and running a cover
The pretext is the operational core of social engineering — it is the false identity plus the false context plus the false urgency that wraps the actual ask in something the target will respond to. Pretext quality is the single biggest predictor of SE attack success, more important than the technical delivery (the phishing email’s template, the spoofed caller ID, the lobby badge) and more important than the target’s training. This section walks the major pretext categories (§4.1 authority, §4.2 familiarity, §4.3 urgency), the per-channel fidelity requirements (§4.4), the cover-construction discipline (§4.5), and the substantive table (§4.6).
4.1 Authority pretexts — the dominant pretext family
The authority pretext leverages Cialdini’s #4 principle: people defer to perceived authority. The canonical authority pretexts in modern practitioner literature:
IT support / IT help desk. The single most-used authority pretext in the field, in both vishing and in-person flavors. The pretext: “I’m Sarah from IT; we’re seeing some issues with your account, can you walk me through what you see when you log in?” The attack: the IT support pretext exploits the target’s pre-existing willingness to follow IT instructions on the assumption that IT is helping them. The pretext works particularly well at organizations large enough that the target does not know the IT staff personally — a 50-person company’s employees know the IT person by name; a 50,000-person company’s employees do not. Defenses: callback verification through known-good numbers, internal escalation paths that don’t involve sharing credentials.
Vendor technician. A claimed technician from a vendor the organization uses (Cisco, Microsoft, the building HVAC contractor, the printer-leasing company, the copier maintenance company). The in-person variant — show up in a vendor-branded shirt with a clipboard — is the canonical “physical entry” pretext for the §6 attacks. The remote variant — call claiming to be a Cisco support engineer needing to run a diagnostic — is common in the BEC / vishing space. Defenses: the visitor escort policy (§7), the verified-vendor-list at the front desk.
Executive’s assistant / executive directly. “I’m calling on behalf of [CEO Name]; the CEO needs the following information immediately.” The variant where the attacker pretends to be the executive directly — calling from a spoofed number or sending email from a lookalike domain — is the canonical BEC attack form. The pretext exploits the target’s reasonable belief that executives have legitimate authority to make ad-hoc requests, combined with the urgency that executive-time-is-valuable creates. Defenses: out-of-band callback verification, four-eyes review on wire transfers, BEC-specific email-filter signatures.
Auditor / regulator. “I’m with [SOX / HIPAA / PCI / GDPR] compliance; I need to walk through your access controls with you for the audit.” The pretext exploits the target’s reasonable fear of audit findings, and the secondary social pressure that comes from the target’s belief that not cooperating with audit will look bad to management. Defenses: verified-auditor-list at the security team, the policy that “audit requests come through the audit office and go through compliance review.”
Contractor with prior engagement. “I’m Tom from CompliancePartners; we did the [past project] for you two years ago; we’re back to do the follow-up.” The pretext exploits the partial truth — if the target organization actually had a prior CompliancePartners engagement (verifiable from OSINT — see press releases, case studies on the vendor’s site), the pretext has plausibility from the first sentence. Defenses: the contractor-management process at the procurement / vendor-management office.
Law enforcement / government agency. The high-stakes authority pretext. “I’m calling from the FBI’s [field office]; we need the following records as part of an ongoing investigation.” The pretext exploits both authority deference and fear-of-non-cooperation. In real-world incidents, criminals impersonating law enforcement have extracted user data from major social-media platforms via faked emergency-disclosure requests — the “fake EDR” attack class that gained substantial attention in 2022-2024.18 Defenses: the verified-LE-channel process, the legal team’s review of any LE request before disclosure, the warrant-verification step.
4.2 Familiarity pretexts — leveraging in-group identity
The familiarity pretext leverages Cialdini’s Liking principle (and Cialdini’s seventh Unity principle): people respond more positively to people who appear to be part of their in-group. The major familiarity pretexts:
Sibling department. “I’m Lisa from the Boston office; I need to coordinate with you on [project].” The pretext exploits the target’s reasonable expectation that other parts of the organization need to coordinate with them, combined with the difficulty of verifying claims about a department the target does not have direct contact with. Defenses: internal directory / Slack-search verification, the cultural norm of “I’ll check with my manager and call you back.”
Returning vendor / contractor. Like §4.1’s contractor pretext but framed for familiarity rather than authority. “Hey, it’s Jim again from MegaConsulting; we worked together on [past project]; just need to follow up on one thing.” Defenses: the contractor-management process.
Mutual acquaintance. “Brian Smith from [other organization] suggested I reach out to you.” The pretext exploits the warm-introduction social norm — people respond more positively to communication that comes with an apparent endorsement from someone they know. OSINT-feasible (LinkedIn second-degree connections, conference attendance lists, professional association rosters) and difficult to verify in real time (the target would have to interrupt the conversation to text Brian and ask, which the urgency layer suppresses). Defenses: the cultural norm of out-of-band verification.
Conference / event aftermath. “We met at [conference] last month; I was wondering if you had a moment to follow up on what we discussed.” The pretext exploits the inability to remember every conference conversation precisely — the target may genuinely not remember whether they had this conversation, and the social cost of asking “I’m sorry, I don’t recall meeting you” creates pressure to play along. The attendance-list OSINT is straightforward (most conferences post speaker lists publicly; many post full attendee lists or social-media check-ins).
4.3 Urgency pretexts — the suppression layer
The urgency pretext is rarely a standalone — it is more typically a layer applied to one of the authority or familiarity pretexts above. The canonical urgency framings:
- Executive deadline. “The CEO needs this approved before the close of business today.” Layered onto an authority pretext.
- Security incident. “We’ve detected a security incident on your account; we need to remediate it now before it spreads.” Layered onto an IT-support or vendor-technician authority pretext.
- Audit-in-progress. “The audit team is in the conference room right now waiting for this information.” Layered onto an auditor authority pretext.
- Limited window. “I’m only in town for the next two hours; can I come up to grab the package?” Layered onto a vendor or contractor familiarity pretext.
- Service-disruption-imminent. “Your account will be locked at 5 PM unless you complete the verification step.” The classic phishing-email urgency framing.
The defender’s countermove against urgency is the mandatory wait: no request from any unverified party will be acted on in less than 30 minutes, period. The wait gives System 2 time to engage, and the attacker’s tempo (which depends on hitting the target during the urgency window) is broken. Many BEC-loss-reduction programs at large organizations make the mandatory wait an explicit policy.
4.4 Channel-fidelity requirements
The fidelity required for a pretext to land scales sharply with the channel:
In-person. The highest-fidelity requirement. The target sees the attacker’s face, hears their voice, observes their clothing, body language, badge, demeanor — and is exquisitely sensitive to anything that does not fit. An in-person pretext requires the attacker to match the appearance, demeanor, vocabulary, and context of the claimed role — a “vendor technician” pretext needs the vendor-branded shirt, the badge, the tool case, the technical vocabulary, the appropriate van outside, the correct paperwork. In-person pretexting is the highest-fidelity, highest-skill, lowest-volume SE channel.
Voice / phone. Substantial fidelity required, but reduced by the absence of visual signals. The attacker needs to match the accent / dialect of the claimed role, the technical vocabulary, the conversational style. Voice-cloning AI (since ~2023) has begun to add a new layer — an attacker who can clone the voice of a specific executive can make voice-based BEC dramatically more effective. The FBI and CISA have issued specific warnings on AI-voice-cloning-enabled vishing.
Email. Lower fidelity than voice or in-person, but the volume scales massively. The attacker can send 100,000 phishing emails for the marginal cost of essentially zero; the attacker needs to send only one in-person pretext at a time. The fidelity requirement for spear phishing (targeted email) is higher than for bulk phishing — the spear-phishing email needs to reference real details (the target’s project, the target’s manager, the target’s recent activity) — but still substantially lower than voice or in-person.
SMS / smishing. The lowest fidelity. SMS is constrained to short text, lacks the visual and audio signals of richer channels, and the volume scales similarly to email. Smishing pretexts are necessarily simple (“Your package is held; click here to release”) and rely heavily on the urgency layer to compensate for the thin fidelity.
The fidelity-vs-volume tradeoff drives much of the SE landscape’s economics. Criminal SE is dominated by the high-volume / low-fidelity end (bulk phishing, smishing) because the per-target cost is negligible and a low success rate is fine when targets are essentially free. Red-team SE leans toward the low-volume / high-fidelity end (targeted vishing, in-person physical entry) because the engagement is single-target and the success rate per target matters substantially.
4.5 Cover construction — the operational discipline
A working cover requires consistency across multiple surface areas. The cover-construction checklist that Hadnagy and Mitnick both emphasize:
COVER CONSTRUCTION CHECKLIST
────────────────────────────
┌──────────────────────────────────────────────────────────────────┐
│ IDENTITY LAYER │
│ • Name (memorable but not unusual; matches claimed background) │
│ • Employer (real if possible; OSINT-verifiable) │
│ • Title / role (specific enough to be credible; not so senior │
│ that it invites scrutiny) │
│ • Tenure ("just joined" is dangerous — invites peer questions; │
│ "been here 3 years" is robust) │
│ • Reporting line (who is your manager? back-stop with OSINT) │
└──────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────┐
│ COMMUNICATION LAYER │
│ • Phone number (Google Voice or burner; voicemail set up; │
│ answers in your cover name) │
│ • Email address (lookalike domain or claimed-employer's actual │
│ domain via a compromised account; consistent signature) │
│ • Social media presence (LinkedIn especially — sock-puppet │
│ profile, plausible connections, plausible history) │
│ • Physical mail address (if a request might generate one) │
└──────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────┐
│ CONTEXT LAYER │
│ • Why are you calling/visiting? (reason that holds up to │
│ pushback; ties to a real organizational context) │
│ • What are you asking for? (specific and bounded; not "give me │
│ all your data") │
│ • What's the urgency? (specific deadline, specific consequence) │
│ • What's the next step? (the action you want the target to take)│
└──────────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────┐
│ EXIT LAYER │
│ • How does the interaction end? (your reason for breaking off) │
│ • What artifacts do you leave behind? (none, if possible) │
│ • What's your story if the target later realizes and asks? │
│ • What's your retreat plan if the pretext is challenged mid-call│
│ or mid-visit? │
└──────────────────────────────────────────────────────────────────┘Figure 17.3 — The cover-construction checklist. The four layers operate together — a cover that has a solid identity layer but no plausible exit layer is the cover that collapses when the target asks “can I have your supervisor’s name?” and the attacker has nothing prepared. The Hadnagy practitioner literature emphasizes that the exit layer is the most-frequently-neglected — operators think through the entry and the ask but not how to leave gracefully, and the failures most often occur at the exit when the attacker has to terminate the call before the target gets suspicious. The defender’s countermove is to ask the kinds of questions that probe the exit layer — “let me put you on hold and get my manager”; “what’s your callback number? I’ll get back to you in fifteen minutes” — and watch the attacker’s response.
The cover is built before the engagement begins, not during. The Hadnagy methodology has the operator rehearse the cover with a colleague playing the target before the live engagement — surfacing the questions the target is likely to ask and pre-rehearsing the answers. The “improvise as you go” mode is the failure mode; the prepared mode is the success mode.
4.6 The pretext-types table
| Pretext family | Channel | Fidelity required | Typical use | Key defenses |
|---|---|---|---|---|
| IT support / help desk | Phone, email, in-person | Medium-high (must know IT vocabulary, ticket-system references) | Credential elicitation, password reset, remote-access install | Callback verification through known-good number; never share credentials over phone/email |
| Executive impersonation (BEC) | Email primarily; phone with voice cloning | High (must match executive’s communication style) | Wire-transfer fraud; data-exfil request | Out-of-band verification; four-eyes on financial actions; DMARC; BEC-specific email filters |
| Vendor technician | In-person; phone | High in-person (uniform, badge, vehicle); medium by phone | Physical entry; credentialed-access request | Verified-vendor list; escort policy; visitor sign-in |
| Compliance auditor | Phone, email, in-person | High (must know audit vocabulary, framework references) | Information elicitation; access elicitation | Verified-auditor process through compliance office |
| Contractor with prior engagement | Phone, email, in-person | Medium (depends on OSINT verifiability of prior engagement) | Reactivation of dormant access; data request | Contractor-management process; vendor-database verification |
| Sibling department | Phone, email | Medium (internal directory verifies; cultural norms vary) | Cross-department information request; access introduction | Directory verification; “I’ll get back to you” cultural norm |
| Mutual acquaintance | Email, in-person | Low-medium (warm intro reduces fidelity bar) | Soft introduction to ongoing access pipeline | Out-of-band verification with the supposed introducer |
| Conference / event followup | Email, phone | Low (target can rarely recall every conversation) | Re-engagement of stale contact; technical pretext development | Skepticism of unsolicited followups; explicit ask for context that the real meeting would have provided |
| Law enforcement / regulator | Phone, email, in-person | High (vocabulary + paperwork must match) | Information disclosure; account-access request | Verified-LE-channel process; legal-team review; warrant verification |
| Package delivery / courier | In-person | Low-medium (uniform + clipboard + package; minimal vocabulary) | Physical entry; lobby-area access | Front-desk verification; signed-delivery process |
| HVAC / facilities / cleaning | In-person | Medium (uniform + plausible work order) | After-hours physical entry; secure-area access | Verified work-order process; escort policy |
Table 17.3 — The pretext family / channel / fidelity / defense matrix. The pattern across the table: the highest-fidelity pretexts (in-person vendor / IT, voice executive impersonation with cloning) are the most successful in the high-value engagement / high-target-value cases, and the lowest-fidelity pretexts (smishing, generic phishing) are the most successful in the bulk-volume / criminal-economy cases. The defender’s countermeasures are channel-dependent — for email there’s a deep technical layer (DMARC / DKIM / SPF / URL rewriting / BEC filters); for voice there’s primarily a process layer (callback verification); for in-person there’s a physical-security layer (escort, sign-in, badge verification).
5. Phishing, vishing, smishing — the delivery channels
Email-based phishing is the dominant SE delivery channel by volume and by recorded breach-attribution. The Verizon 2025 DBIR reports phishing as the initial-access vector in ~16% of confirmed breaches (the third most common vector behind credential abuse at 22% and vulnerability exploitation at 20%);11 the FBI IC3 2025 Annual Report records $3.04 billion in 2025 losses to Business Email Compromise alone, with 24,768 BEC complaints filed.19 This section walks the three channels (phishing §5.1, vishing §5.2, smishing §5.3), the campaign lifecycle (§5.4), the AiTM / MFA-bypass class that changed the email-phishing economics in the late 2010s (§5.5), the practitioner toolkit (§5.6), and the channel-comparison table (§5.7).
5.1 Phishing — email as the dominant channel
Phishing decomposes into three subclasses by targeting precision:
Bulk / commodity phishing. High-volume, low-personalization, broadcast to millions of recipients with a generic pretext. The “your bank account has been suspended” / “your package is held” / “your Microsoft account requires verification” template. Per-target hit rate is in the 0.1-1% range; the volume is what makes the economics work. The infrastructure has matured into a Phishing-as-a-Service ecosystem with kit vendors (the most-cited being Rockstar2FA, Tycoon 2FA, EvilProxy) selling turn-key phishing infrastructure to criminal customers.
Spear phishing. Targeted at a specific individual or small group, with personalization drawn from OSINT — the target’s name, employer, role, current project, recent activity. Per-target hit rate is in the 5-30% range depending on pretext quality. The dominant attack pattern for nation-state intrusions and high-value criminal targeting (executive credentials, IT-admin credentials, financial-control-position credentials).
Whaling / executive-targeted phishing. Spear phishing aimed at C-suite or board-level targets. Substantially more research per target, substantially higher fidelity required, and substantially higher payoff per success. The BEC attack family is essentially whaling at the executive-impersonation-or-extraction end, with the target either the executive themselves (asked for credentials, asked to authorize a wire) or a finance-team member who acts on the impersonated executive’s apparent instruction.
The 2024-2026 phishing landscape has been shaped by three factors: (a) the maturity of MFA at most large organizations has shifted phishing economics toward MFA-bypass / AiTM attacks (§5.5); (b) generative AI has substantially reduced the cost and improved the quality of pretext drafting, particularly for non-native-English campaigns where the awkward English of pre-AI phishing was a leading detection signal; (c) email-authentication technology (DMARC, DKIM, SPF) deployment has matured, raising the bar for sender-domain spoofing and shifting attackers toward lookalike-domain registration and compromised-account attack patterns.
Figure 17.4 — A teaching example of a bank-phishing email’s structural elements. Photo: File:Example phishing email.svg by Isochrone, Wikimedia Foundation, Philip Metschan. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AExample%20phishing%20email.svg).
5.2 Vishing — voice as the targeted channel
Vishing — voice phishing — is the phone-based attack channel. Lower volume than email but higher per-call success rate, particularly for high-fidelity authority pretexts (§4.1). The vishing landscape has been substantially reshaped in 2023-2026 by:
Voice cloning. Generative AI models capable of producing convincing voice clones from short audio samples (sometimes as little as 30 seconds of source audio) have made executive-voice impersonation operationally viable. The 2024-2025 reporting of AI-voice-cloning-enabled CEO fraud — calls in which a finance-team member appears to receive a call from a known executive instructing a wire transfer — has been substantial, with documented losses in the eight-figure range from individual incidents. CISA, FBI, and major bank fraud teams have issued specific warnings.
Caller-ID spoofing. SIP-based VoIP infrastructure makes caller-ID spoofing trivial; the STIR/SHAKEN framework deployed across U.S. carriers since 2021 has reduced but not eliminated the problem. Spoofing the IT-department’s internal phone number, the bank’s customer-service line, or the executive’s mobile remains feasible across many vishing campaigns.
The DEF CON Social Engineering CTF. The annual SECTF (Social Engineering Capture The Flag) at DEF CON has demonstrated since 2009 — under controlled and authorized conditions — that vishing remains highly effective against Fortune 500 organizations. The contest format: participants are assigned a target Fortune 500 company; they have a fixed OSINT-collection window, then a fixed live-calling window during which they attempt to extract “flags” (specific pieces of corporate information — Windows version, browser version, VPN solution used, food-service vendor, etc.) from target-organization employees. The persistent finding across more than a decade of contest data: well-prepared vishers extract substantial information from essentially every targeted organization, and trained employees rarely escalate the suspicious call before disclosing the flags.20
Figure 17.5 — Vishing-recognition quick-reference guide. Photo: File:Ozonwoye Quick Reference Guide to Identify Vishing.png by Chima Ozonwoye. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3AOzonwoye%20Quick%20Reference%20Guide%20to%20Identify%20Vishing.png).
The vishing defense stack is dominated by process controls rather than technical controls — callback verification through known-good numbers, never-share-credentials-over-phone policy, security-team escalation paths. The technical-control layer (caller-ID verification via STIR/SHAKEN, voice-deepfake detection — an emerging field with mixed maturity as of 2026) is meaningful but secondary to the process layer.
5.3 Smishing — SMS as the lowest-fidelity bulk channel
Smishing — SMS phishing — has grown rapidly in 2023-2026 as email-authentication enforcement has pushed attackers toward channels with weaker authentication. SMS has no email-authentication analog (no SMS-DMARC equivalent), and the carrier-side anti-spam filtering on SMS is substantially less mature than on email. The dominant smishing pretexts in 2024-2026:
- Package delivery. “Your USPS / FedEx / UPS package could not be delivered; verify your address at [URL].” The pretext exploits the post-pandemic ubiquity of package delivery — essentially every recipient has at least one package in flight at any time.
- Bank / payment notification. “Suspicious transaction detected on your account; reply YES to confirm or call [number].” The pretext exploits the financial-fraud-fear shortcut.
- Streaming-service account. “Your Netflix / Disney+ / etc. account has been locked; verify at [URL].”
- Government / tax authority. “Your tax refund is ready for processing; confirm details at [URL].” Particularly common during tax-filing windows.
The defense stack for smishing is thin — there is no equivalent to DMARC for SMS, the URL-rewriting infrastructure that defends against email phishing does not extend to SMS, and the awareness-training layer is the principal control. The 7726 (SPAM) report-and-block ecosystem maintained by U.S. carriers and the equivalent international mechanisms provide a feedback channel but are reactive rather than preventive.
5.4 The campaign lifecycle — from recon to cash-out
A phishing campaign (criminal or authorized red-team) follows a consistent six-phase lifecycle:
PHISHING CAMPAIGN LIFECYCLE
───────────────────────────
┌──────────────────────────────────────────────────────────────────┐
│ PHASE 1 — RECONNAISSANCE │
│ │
│ OSINT (§3) against target organization + individuals │
│ Email-format inference for the org domain │
│ Target list construction (LinkedIn employees + Hunter.io) │
│ Pretext seed identification (current projects, recent events, │
│ org-chart structure, vendor relationships) │
└────────────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────┐
│ PHASE 2 — PRETEXT DESIGN │
│ │
│ Pretext family selection (§4) — IT support / vendor / executive │
│ Pretext tailoring to specific organizational details │
│ Email template construction (or vishing script, smishing text) │
│ A/B variant design if the campaign is large enough │
└────────────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────┐
│ PHASE 3 — INFRASTRUCTURE │
│ │
│ Sender-domain registration (lookalike of legitimate domain, │
│ compromised legitimate account, or DMARC-aligned legit domain │
│ for bulk volume) │
│ TLS certificate issuance (Let's Encrypt is fine — defender │
│ mostly looks at domain, not at cert authority) │
│ Hosting infrastructure for the landing page (cloud VPS, CDN, │
│ or compromised legitimate site as cover) │
│ Sender-reputation warming (gradual ramp-up of sending volume │
│ so spam filters trust the new domain) │
│ For AiTM phishing: Evilginx2 / Modlishka / Muraena reverse- │
│ proxy infrastructure (§5.5) │
└────────────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────┐
│ PHASE 4 — SEND │
│ │
│ The campaign fires — email send-out, vishing call schedule, │
│ smishing burst │
│ Real-time monitoring of bounce-back, response, click-rate │
│ Phase 4 ends when the campaign window expires or the campaign │
│ is detected and blocked (whichever first) │
└────────────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────┐
│ PHASE 5 — HARVEST │
│ │
│ Credentials submitted to landing page → captured to attacker │
│ database │
│ Session cookies (for AiTM) → captured + used for live session │
│ hijack within the cookie's lifetime │
│ Payload-staged phishing: malware download / second-stage payload│
│ execution on victim machine → C2 callback │
│ Voice / SMS responses → operator-handled live or queued for │
│ follow-up │
└────────────────────────────┬─────────────────────────────────────┘
│
▼
┌──────────────────────────────────────────────────────────────────┐
│ PHASE 6 — CASH-OUT (CRIMINAL) or REPORT (RED TEAM) │
│ │
│ Criminal: credentials → access → lateral movement → ransomware │
│ / wire-fraud / data-exfil / resale on dark-web markets │
│ Red team: anonymized capture data → report to client; remediation│
│ recommendations; security-awareness-training feedback │
└──────────────────────────────────────────────────────────────────┘Figure 17.6 — The phishing campaign lifecycle. The six-phase pattern is consistent across criminal and authorized red-team campaigns; what changes between the two is Phase 6 (cash-out vs. report) and the legal posture surrounding every phase. The reconnaissance phase (1) draws on §3 OSINT; the pretext design phase (2) draws on §4 pretexting; the infrastructure phase (3) is where the technical practitioner-toolkit (§5.6) does its work; the harvest phase (5) is where the AiTM / MFA-bypass capability (§5.5) is operationally consequential. The defender’s countermeasures intercept at each phase — the SOC’s threat-intel feed catches early infrastructure setup; the email gateway catches Phase 4 send-out; the EDR catches Phase 5 payload execution; the SIEM catches Phase 6 lateral movement. The deepest defenses (§7) sit at the human-decision layer — making the click rate as low as possible by reducing the urgency / cognitive-load conditions under which decisions are made.
5.5 The AiTM / MFA-bypass class — Evilginx and successors
The deployment of multi-factor authentication across most large organizations in the 2018-2023 timeframe substantially reduced the value of bare-credential phishing — capturing a username and password gets the attacker little if the target account requires a second factor on each login. Attackers responded with the Adversary-in-the-Middle (AiTM) phishing class — a reverse-proxy phishing attack that captures not just the credentials but the post-MFA session cookie, and then uses the session cookie to access the target account without re-triggering the MFA prompt. The technique was implemented in Kuba Gretzky’s Evilginx tool (originally released April 2017; rewritten in Go as Evilginx2 in 2018; the current public version is a scaled-down release with sensitive features removed, while the full version Evilginx Pro is sold privately to vetted security firms).21 The architecture:
AiTM PHISHING SEQUENCE
──────────────────────
VICTIM ATTACKER PROXY LEGITIMATE SITE (e.g. M365)
────── ────────────── ──────────────────────────
│ visits attacker phishing URL │ │
├────────────────────────────►│ │
│ │ forwards request to legitimate │
│ ├──────────────────────────────────►│
│ │ │
│ │ legitimate site returns its real │
│ │ login page │
│ │◄──────────────────────────────────┤
│ attacker proxies login page │ │
│◄────────────────────────────┤ │
│ │ │
│ enters username + password │ │
├────────────────────────────►│ │
│ │ forwards credentials to real site│
│ ├──────────────────────────────────►│
│ │ │
│ │ legitimate site triggers MFA │
│ │ prompt │
│ │◄──────────────────────────────────┤
│ MFA prompt proxied to victim │ │
│◄────────────────────────────┤ │
│ │ │
│ enters MFA code │ │
├────────────────────────────►│ │
│ │ forwards MFA code to real site │
│ ├──────────────────────────────────►│
│ │ │
│ │ legitimate site issues session │
│ │ cookie (auth complete) │
│ │◄──────────────────────────────────┤
│ session cookie proxied to │ │
│ victim (looks like normal │ ★★ ATTACKER ALSO CAPTURES │
│ login) │ SESSION COOKIE HERE ★★ │
│◄────────────────────────────┤ │
│ │ │
│ ──── Victim sees a normal │ ──── Attacker now has the cookie │
│ logged-in session │ and can issue authenticated │
│ │ requests as the victim │
│ │ for the cookie's lifetime, │
│ │ without re-triggering MFA │
│ │ │Figure 17.7 — The AiTM phishing sequence. The attacker proxy sits in the middle of the victim-and-legitimate-site conversation, transparently relaying every step of the login flow including the MFA prompt and the MFA response. The capture point is the session cookie that the legitimate site issues after MFA succeeds — once the attacker has that cookie, they can present it on subsequent requests and the legitimate site treats them as the authenticated victim. The session cookie’s lifetime (typically hours to days, depending on the legitimate site’s session policy) is the attacker’s window. The technique defeats every form of MFA that does not bind the session cookie cryptographically to the device that performed the MFA — including TOTP (Google Authenticator, Authy), SMS-based MFA, push-notification MFA (Microsoft Authenticator, Duo Push), and email-based MFA. The defense is phishing-resistant MFA — FIDO2 / WebAuthn / passkeys, which bind the authentication to the specific origin domain and the specific device, making the AiTM attack fail at the WebAuthn step.
The AiTM class is the dominant phishing-attack form in 2025-2026 for environments with mature MFA deployment. The defense — phishing-resistant MFA via FIDO2 / WebAuthn / passkeys — is mature and widely available but deployment lags substantially. Microsoft’s 2023-2024 reporting indicated that under 30% of Microsoft 365 tenants had deployed phishing-resistant MFA for any user, and the percentage for all users was much lower. The “deployed MFA but not phishing-resistant MFA” middle state — which is where most organizations sit as of early 2026 — is the AiTM attacker’s sweet spot.
5.6 The practitioner toolkit
A handful of frameworks dominate the modern phishing-practitioner toolchain:
Gophish. Jordan Wright’s Gophish is the canonical open-source phishing framework, originally released 2013. Gophish provides campaign management (recipient lists, template design, send scheduling), landing-page hosting, credential capture, and per-recipient tracking (open rate, click rate, submission rate). The “Gophish-and-a-VPS” deployment is the standard low-budget red-team / security-awareness-team phishing-simulation infrastructure. The project remains active and is the most-cited single open-source phishing framework.22
Evilginx2. Kuba Gretzky’s AiTM reverse-proxy phishing framework (§5.5). The public version is feature-limited; Evilginx Pro is sold to vetted commercial security firms only.
Modlishka. Piotr Duszyński’s reverse-proxy phishing framework, similar to Evilginx2 in functional scope but with a different architecture. Open-source and widely used.
Muraena. Michele Orrù and Giuseppe Trotta’s reverse-proxy phishing framework, similar functional scope to Evilginx2 / Modlishka. The “trinity” of AiTM frameworks (Evilginx2, Modlishka, Muraena) covers the open-source AiTM landscape.
Social-Engineer Toolkit (SET). Dave Kennedy’s SET (originally released ~2009-2010; Kennedy founded TrustedSec in 2011 and SET has been maintained under TrustedSec since)23 is the canonical Python-driven SE-attack framework, with modules for phishing, cloned-website attacks, USB-attack staging, mass-mailing, and SMS attacks. SET is bundled with Kali Linux and remains the entry-point reference for new practitioners.
King Phisher. Open-source phishing-campaign framework with a richer GUI than Gophish; less actively maintained as of 2025.
Phishing-as-a-Service kits (criminal market). Tycoon 2FA, Rockstar2FA, EvilProxy, Caffeine — the dominant criminal-market PhaaS kits as of 2024-2025. These are not legitimate-practitioner tools; they are catalogued here for awareness of the threat-landscape framing.
5.7 The channel-comparison table
| Channel | Per-target cost | Per-target success | Pretext fidelity required | Detection signal | Defensive primary control |
|---|---|---|---|---|---|
| Bulk phishing (email) | ~$0 (per-target) | 0.1-1% click | Low | Email gateway URL/attachment scan; SPF/DKIM/DMARC fail; spam-filter heuristics | DMARC strict + email gateway + URL rewriting + user reporting |
| Spear phishing (email) | $5-50 (research time) | 5-30% click | Medium-high | URL-rewriting click telemetry; behavioral anomaly | Same as bulk + EDR for payload-stage; user-reporting incentive |
| Whaling / BEC (email) | $100-1,000 (research time) | 10-40% on financial action | High | New-payee anomaly; sender-domain look-alike detection | Out-of-band callback verification; four-eyes on financial actions; BEC-specific gateway filter |
| AiTM phishing (email) | $50-500 (infrastructure + research) | 5-30% (MFA-bypass succeeds when victim clicks) | Medium-high | Session cookie issued from unusual IP; impossible-travel detection | Phishing-resistant MFA (FIDO2 / WebAuthn / passkeys); risk-based authentication |
| Vishing (voice) | $10-100 (per call attempt) | 20-60% on information disclosure | Medium-high | Caller-ID anomaly; unusual time-of-call | Callback-verification policy; never-share-credentials-over-phone policy; voice-deepfake detection (emerging) |
| AI-voice-cloned vishing | $100-1,000 (voice sample + cloning tool + call) | 30-70% on financial action | High | Anomalous wire-transfer request; out-of-band verification fails | Mandatory wait + callback verification; four-eyes; voice-clone detection (where deployable) |
| Smishing (SMS) | ~$0.001 (per SMS) | 0.5-5% click | Low | URL-blocklist + carrier spam filter; user report | Carrier filter + user reporting (7726 in US); awareness training |
| In-person SE | $500-5,000 (engagement-day cost) | 50-90% on physical entry (well-prepared) | Very high | Visitor sign-in mismatch; CCTV review post-hoc | Visitor escort policy; verified-vendor list; tailgating sensors / mantrap |
Table 17.4 — The SE delivery-channel comparison. The pattern: per-target cost and per-target success rate vary by ~3-4 orders of magnitude across the channels, with bulk phishing at the cheap / low-yield end and in-person at the expensive / high-yield end. The criminal-economy SE landscape is dominated by the bulk end (volume economics); the red-team SE landscape is dominated by the targeted end (engagement economics). The detection-signal column lists the most prominent technical detection surface per channel; the defensive-primary-control column lists the single control with the highest leverage. The complete defense stack (§7) layers multiple controls per channel.
6. Physical entry — tailgating, badge clone, the SE physical chain
Physical entry is the SE attack family that bridges this volume’s pure-human-attack-surface focus and Vol 16’s physical-access-computer-hacking content. The attack chain — get into the building, get to a target machine or network port or person, exploit — uses social engineering as the entry mechanism and the technical implants of Vol 16 as the exploitation mechanism. This section walks tailgating and piggybacking (§6.1), badge cloning as the technically-mediated entry path (§6.2), the lobby pretext (§6.3), the inside-the-building escalation (§6.4), the lock-picking / physical-security-bypass adjacency (§6.5), and the substantive table (§6.6).
Figure 17.8 — A “no tailgating” sign at Apple’s corporate office. Photo: File:No tailgating sign - Apple.jpg by Keepitreal74. License: Public domain. Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ANo%20tailgating%20sign%20-%20Apple.jpg).
6.1 Tailgating and piggybacking — the canonical entry primitives
Tailgating is the canonical physical-entry primitive: an unauthorized person follows an authorized person through a controlled door, slipping through before the door closes behind the authorized person. No pretext is required at the door itself — the attacker just needs to be physically present and to slip through in the window between the authorized person’s badge-in and the door’s close. Tailgating works because:
- Social pressure favors the attacker. The authorized person who turns and asks “do you work here?” is being rude by the prevailing workplace norm; the attacker who looks like they belong (suit, professional demeanor, plausible bearing) gets the benefit of the doubt.
- The window is exploitable. Even short door-closer windows (2-3 seconds) are long enough for a person walking at normal pace to slip through.
- The detection burden is on the wrong party. The authorized person has no automated way to know if the person following them is authorized — they would have to actively check, which is socially costly.
The single most-effective defense is a mantrap — two interlocked doors with a small chamber between them, where the second door does not unlock until the first door has fully closed. The mantrap forces serialized entry and breaks the “slip through behind someone” pattern. Mantraps are typical at data centers, secure-research facilities, and high-assurance enterprise spaces; they are uncommon at general-purpose office floors because of the cost and the friction they impose on legitimate traffic.
The secondary defense is the tailgate sensor / anti-tailgating beam — an optical or pressure-based sensor at the door that detects a second body following the first within the badge-in window and triggers an alert. Cheaper than a mantrap but produces false positives at high-traffic doors.
The tertiary defense is awareness training — teaching employees to recognize tailgating attempts and to challenge unfamiliar people in controlled spaces. Awareness training is the cheapest defense and the lowest-efficacy defense; the social pressure that favors the attacker is stronger than the awareness signal the training provides.
Piggybacking is the consensual variant of tailgating: the attacker has a pretext that induces the authorized person to actively hold the door open for them. The canonical pretext is “I forgot my badge, I’m running late for a meeting” delivered with an apologetic smile and a hand on a phone (suggesting a callback is in progress). The pretext exploits the Liking principle (the apologetic / harried-employee appearance triggers sympathy) and the Reciprocity / Authority principles (the authorized person is helping out a colleague, which they would themselves want done for them). Piggybacking is more reliable than tailgating because it weaponizes the authorized person’s cooperation rather than working against it. The defense stack is the same as for tailgating, plus an organizational culture that makes “I forgot my badge” actually require returning to the lobby for a guest badge rather than being held-door-through.
6.2 Badge cloning — the technical entry path
Where tailgating is the pretext-based entry path, badge cloning is the technical entry path — the attacker clones the target’s RFID / NFC access credential and uses the clone to badge in legitimately. The technical depth on the RFID / NFC card ecosystem lives in Vol 15 — which covers the LF (125 kHz HID Prox, EM4100, Indala) and HF (13.56 MHz MIFARE Classic, MIFARE DESFire, iCLASS, iCLASS SE) protocols, their security models, and the cloning techniques at full depth — and this volume’s contribution is the SE framing around how the cloning fits into the engagement chain.
The chain:
- OSINT identifies the target carrying the credential. OSINT (§3) identifies the people who carry access credentials for the target site — typically anyone who works in the building, which is everyone on the employee list visible via LinkedIn.
- Proximity capture in a public space. Many low-security badge formats (HID Prox at 125 kHz; legacy MIFARE Classic at 13.56 MHz) can be cloned by an attacker holding a long-range reader (a Proxmark3 in long-range mode; a custom-built reader with an oversized antenna) within a few inches of the target’s wallet or pocket where the credential is carried. The target is unaware. The capture happens in a coffee shop, on a subway, in an elevator, in any public space the attacker can co-locate with the target.
- Clone to write-capable card or Flipper. The captured credential is written to a writable card (a “magic” MIFARE card with writable UID) or loaded into a Flipper Zero / Proxmark3 for emulation.
- Use the clone at the target door. The attacker badges in with the clone; the access-control system sees a valid credential and unlocks the door.
The strength of this chain is that the target never sees the attack happen — the proximity capture is invisible to the target, the cloning happens out of sight, and the door swipe with the clone is indistinguishable from a legitimate badge swipe at the access-control system’s logging level. The defense — covered at depth in Vol 15 — is at the card-technology layer: deploy iCLASS SE / DESFire EV2 / EV3 / Seos cards with cryptographic authentication that resists the proximity-capture attack, and retire the legacy HID Prox / EM4100 / Classic MIFARE deployments that don’t.
6.3 The lobby pretext — getting past the front desk
For facilities with a staffed front desk, the attacker has to first get past the lobby. The canonical lobby pretexts:
Vendor / courier. “I’m here to deliver this package to [name on package].” The pretext exploits the lobby staff’s default of accepting deliveries; the attacker may try to gain “I’ll just bring this up myself, what floor?” access, or may use the delivery as cover for OSINT (the response to “who is [name]” tells the attacker which floor they’re on).
Visitor with pre-arranged meeting. “I’m here to meet with [name]; I have an appointment at 2 PM.” The pretext exploits OSINT — the attacker has identified a real person at the organization who plausibly takes external meetings, and times the visit. If the front desk calls up to confirm, the attacker apologizes for being early / having the wrong day and leaves; if the front desk waves them through without confirmation (common at less-paranoid organizations), entry is achieved.
Interview candidate. “I’m here for the 1 PM interview with HR.” OSINT (job postings on the organization’s website) identifies real open positions; the attacker references one. Less effective at organizations that confirm interviews via badge-printed-from-HR-system.
Service personnel. Telecom technician, building inspector, HVAC, elevator service, alarm-system service. The pretext leverages the lobby staff’s default of accepting service personnel as legitimate, particularly when the visit is plausibly unscheduled (an alarm-system service call in response to an alarm; an emergency HVAC repair).
The defense at the lobby layer is the verified visitor process: every visitor signs in, every visitor is escorted, every vendor is pre-confirmed against a verified-vendor list, every meeting is confirmed with the host before badge issuance. Most large organizations have policies that approach this; enforcement varies.
6.4 Inside the building — conference rooms, break rooms, restrooms
Once past the lobby, the attacker is typically in a controlled space (the building) but unsupervised. The exploitation phase begins. The canonical inside-the-building primitives:
- Conference room target. Open conference rooms with unattended laptops, projector cables, network-jack ports, and the occasional unlocked desktop. The attacker walks in confidently, plugs in a LAN Turtle (network-implant drop) or a Rubber Ducky into an unlocked laptop (HID-injection drop), walks out. The window is the meeting break or the few minutes between meetings.
- Break room / kitchen. Network jacks are common; people leave laptops on tables during lunch; the social context (it’s a break room, people come and go) provides cover.
- Restroom. Unlikely to have direct attack value but provides a staging area — the attacker can change shirts (out of one cover into another), check OSINT on a phone, regroup before the next phase.
- Executive office / finance floor. The highest-value targets are typically on dedicated floors with additional access controls. Getting to the floor requires either an escort, a target-floor badge clone, or piggybacking on a target-floor employee.
- Server room / wiring closet. The deepest target. Server rooms typically have additional access controls (separate badge, biometric, sometimes the mantrap). The attacker who reaches a server room has access to everything the network has access to.
The combined chain — physical entry → conference room or unattended desk → Vol 16-style implant drop → outside-the-building C2 → ongoing access — is the canonical “physical-access pentest” engagement model. The Ducky Script deep dive Vol 14 and the Vol 16 §6 combined-workflow chapter cover the technical-implant side at full depth; this volume’s contribution is the SE entry-pretext side.
6.5 Lock picking and physical-security bypass — the adjacent skill
Lock picking sits adjacent to social engineering — it is a physical-security-bypass skill rather than a human-manipulation skill, but the engagement contexts where physical entry matters typically include locked doors (after-hours, server rooms, restricted-access offices) that picking can defeat. The U.S. community center for lock picking and physical-security research is TOOOL (The Open Organisation Of Lockpickers),24 a 501(c)(3) educational nonprofit with chapters across major U.S. cities and a substantial annual presence at DEF CON, ShmooCon, and adjacent security conferences. The principal practitioner-author and educator in the lock-picking-for-pentesters space is Deviant Ollam, who served on TOOOL’s U.S. board for 14 years, runs the consulting firm The CORE Group specializing in physical penetration, and authored Practical Lock Picking (Syngress, second edition 2012) — the canonical practitioner text.
The skill set spans lock picking proper (single-pin picking, raking, bumping), bypass techniques (latch-shimming, under-door tools, key-impressioning), and the broader category of physical-security-bypass techniques (badge-cloning as covered above, magnetic-stripe-card cloning, door-bypass tools, the canonical “Practical Lock Picking” + “Keys to the Kingdom” curriculum). The legal-posture frame is the same as for the rest of this volume — owning the locks you practice on is fine, picking locks at conferences and meetups under controlled / authorized conditions is fine, picking locks on systems you do not own or that are not authorized for testing is criminal (state-level burglary statutes and “burglary tools” possession laws layer on top of federal CFAA).
6.6 The physical-entry technique table
| Technique | Pretext required | Detection difficulty | Primary defense | Cross-link |
|---|---|---|---|---|
| Tailgating | None — just appearance of belonging | Low if observed; high if not | Mantrap; tailgate sensor; visitor escort | None — pure-physical |
| Piggybacking | ”Forgot my badge”; “running late” pretext | Low — the held door is itself the attack | Cultural norm “no held-door-through”; mantrap | None — pure-pretext |
| Badge cloning (HID Prox / Legacy MIFARE) | Proximity to target carrying badge | Very low — capture is invisible; door swipe is normal | iCLASS SE / DESFire EV2-EV3 / Seos card upgrade | Vol 15, Vol 16 §6 |
| Lobby pretext (vendor/courier) | Vendor uniform; package; clipboard | Medium if front-desk verifies; high if it doesn’t | Verified-visitor process; escort policy; verified-vendor list | None |
| Lobby pretext (interview candidate) | Reference to real open position | Medium — HR can verify | Pre-confirmed visitor process; HR-issued badges | None |
| Service-personnel pretext | Vendor uniform; plausible work order | Medium — facilities can verify | Verified-work-order process; pre-arranged service-visit notification | None |
| Conference-room implant drop | None (after entry) | Low at moment of drop; medium later via EDR / IDS | EDR USB-device control; network NAC | Vol 16 §2, Vol 16 §4 |
| Executive-office / finance-floor escalation | Per-floor pretext; piggyback on floor employee | Medium — separate badge required typically | Per-floor access control; CCTV review | None |
| Server-room access | Per-room pretext; rarely viable; usually via prior credential | Very low if achieved (lots of high-value access) | Multi-factor physical access (badge + biometric + escort); mantrap | None |
| Lock picking (single-pin / raking) | None — the lock itself is the target | Very low — picking is silent; door is intact | Mechanical-resistance high-security locks (Medeco, Abloy, Mul-T-Lock); electronic access control | TOOOL / CORE Group resources |
| Lock bypass (latch shim, under-door tool) | None | Very low | Door-construction hardening; latch-protector plates | TOOOL / CORE Group resources |
Table 17.5 — The physical-entry technique catalogue. The pattern: pure-physical techniques (tailgating, lock picking, badge cloning) have very low detection difficulty at the moment of attack — they exploit normal-looking entry events — and high detection difficulty in retrospect (CCTV review, badge-log audit, post-incident forensics). The pretext-based techniques have variable detection depending on the verification rigor of the front desk and the escort policy. The defenders in this space are increasingly the physical security organization (facilities, building security) rather than the IT security organization — and the gap between the two has historically been a substantial source of vulnerability. The combined-workflow chains (§6.4) where physical entry leads to network implant drop are the operational reason the IT security team has a strong interest in physical-security posture even though the controls are owned by another team.
7. Defense — awareness programs, technical controls, the human firewall reality
The defender’s posture against social engineering decomposes into three layers: awareness training (§7.1), technical controls (§7.2), and process controls (§7.3). The awareness layer is the most-discussed and the least-effective in isolation; the technical layer is the most-deployed and the most-mature; the process layer is the most-leveraged and the most-organizationally-difficult. The “human firewall” framing (§7.4) — the security-awareness-training industry’s central metaphor — is partially true and partially misleading, and the working defender’s view (§7.5) layers the three rather than treating any one as sufficient. The substantive table (§7.6) and the load-bearing legal callout (§7.7) close the section.
7.1 Security awareness training — KnowBe4, Cofense, Proofpoint
The security-awareness-training (SAT) industry consolidated in the 2010-2020 timeframe around a handful of dominant vendors:
KnowBe4. Founded in August 2010 by Stu Sjouwerman (along with Kevin Mitnick as Chief Hacking Officer until Mitnick’s death in 2023), KnowBe4 is the largest dedicated security-awareness-training company by revenue and customer count.25 The platform combines on-demand training videos (catalogued by topic, role, regulatory framework, language), scheduled phishing simulations (the KnowBe4 platform sends test phishing emails to enrolled users and tracks click / report rates), and reporting / dashboarding for the security team. KnowBe4 went public in April 2021 and was taken private in February 2023 by Vista Equity Partners in a ~$4.6 billion acquisition. The Mitnick connection (KnowBe4 acquired Mitnick Security Consulting in 2011 and Mitnick remained Chief Hacking Officer) gave KnowBe4 substantial brand recognition in the security-practitioner community.
Cofense (formerly PhishMe). Founded in 2008 by Rohyt Belani and Aaron Higbee (with the company formally launching in 2011, the date some sources cite),26 PhishMe rebranded as Cofense in February 2018 after acquisition by a Pamplona Capital Management and BlackRock private-equity syndicate at a ~$400M valuation. Cofense’s distinguishing feature historically has been its focus on the Cofense Triage product — a security-operations-team-oriented incident-response platform that ingests user-reported phishing emails, automatically analyzes them, and triages them for the SOC. Where KnowBe4 leads with the training-and-simulation product, Cofense leads with the user-reporting-and-response product.
Proofpoint Security Awareness Training. The SAT product line within Proofpoint, acquired from Wombat Security in 2018. Proofpoint’s strength is the integration with the broader Proofpoint email-security stack — the SAT product feeds into and out of the same telemetry that the email-gateway and DLP products use. Customers who already deploy Proofpoint email security get the SAT product at low integration cost. Proofpoint itself was taken private by Thoma Bravo in October 2021 (definitive agreement April 26, 2021; transaction closed Q3 2021) for $12.3 billion — the largest take-private cybersecurity transaction at the time and Thoma Bravo’s largest deal of that period. Proofpoint’s NASDAQ delisting and the post-take-private operational continuity are background context to the SAT product line; Proofpoint remains independently operated under Thoma Bravo ownership as of 2026.
SANS Security Awareness. SANS Institute’s security-awareness offering — less commercially aggressive than KnowBe4 / Cofense / Proofpoint, more curriculum-driven. The OUCH! newsletter and the SANS Security Awareness Maturity Model are widely cited frameworks. SANS-trained security-awareness program managers populate many large-enterprise programs.
The SAT industry’s product pattern has converged: training-video catalogue + phishing-simulation engine + reporting dashboard + integration hooks for the security stack. The differentiation is in the quality of the training content, the sophistication of the phishing-simulation templates (and how often they are refreshed to track current attack patterns), the platform’s reporting depth, and the price.
7.2 Technical controls — email authentication and the gateway stack
The technical-control layer against email phishing has matured substantially in the 2018-2026 timeframe:
SPF (Sender Policy Framework). RFC 7208 (April 2014). DNS-published policy that declares which IP addresses are authorized to send mail for a given domain. Receiving mail servers check the sending IP against the policy and treat policy-failing mail as suspicious. SPF is the oldest of the three core email-authentication mechanisms; weakness is that it does not survive forwarding (forwarded mail’s sending IP is the forwarder, not the originator).
DKIM (DomainKeys Identified Mail). RFC 6376 (September 2011). Cryptographic signature embedded in the mail header, signed by the sending domain’s private key with the public key published in DNS. Survives forwarding (the signature stays valid as long as the headers and body don’t change). Complements SPF; both are typically deployed.
DMARC (Domain-based Message Authentication, Reporting and Conformance). RFC 7489 (March 2015). Builds on SPF and DKIM. DMARC publishes a DNS policy that says “if a message claims to be from my domain but fails SPF and DKIM alignment, do X” — where X is one of none (just report it to me), quarantine (send it to spam), or reject (don’t deliver it). The aggregate reports DMARC requires are what give the domain owner visibility into who is spoofing their domain. The mature DMARC posture is p=reject on the policy; the deployment journey is typically p=none → p=quarantine → p=reject as the domain owner cleans up legitimate-but-misconfigured senders.
Email gateway URL rewriting. Microsoft Safe Links (in Microsoft Defender for Office 365), Mimecast URL Protect, Proofpoint URL Defense, Cisco Email Security URL Filtering — all the major email gateways rewrite URLs in inbound mail to route through the gateway’s URL-protection service. At click time, the gateway re-evaluates the URL against current threat intelligence and either delivers the user to the original site, blocks the click, or warns the user. URL rewriting is the principal post-delivery defense against phishing links that pass initial gateway inspection but turn malicious between delivery and click.
Email gateway attachment scanning. Sandbox-based detonation of attachments before delivery, with verdicts based on observed behavior. Microsoft Safe Attachments, Mimecast Targeted Threat Protection, Proofpoint Attachment Defense. Effective against many payload-staged phishing campaigns; bypassed by attackers who deliver payload via URL or via second-stage download from a clean initial attachment.
Anti-BEC filters. Microsoft Defender for Office 365’s anti-impersonation policies, Mimecast Impersonation Protect, Proofpoint Targeted Attack Protection — gateway-level filters specifically tuned for executive-impersonation patterns. Look at display-name spoofing, lookalike-domain registration, sudden-new-sender patterns from putative executives, financial-action-language anomalies.
EDR for post-delivery payload detection. When the phishing email succeeds in delivering a payload that the user executes, the EDR on the host is the next defense line. Vol 10 §3.2 covers EDR / XDR / MDR at full depth; the principal vendors (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint) all detect the canonical post-phishing-payload patterns (Cobalt Strike beacon, Sliver beacon, generic process-injection, generic credential-dumping).
A representative DMARC posture-check on the defender’s-own-domain side:
# Check the DMARC policy for your domain.
# A mature posture is p=reject; p=quarantine is acceptable for a domain
# still in deployment cleanup; p=none means "monitor only — anyone can
# spoof us and we won't block."
dig +short TXT _dmarc.example.com
# Check SPF policy (what addresses are authorized to send for the domain).
dig +short TXT example.com | grep -i "v=spf1"
# Check DKIM policy (replace 'selector1' with the actual DKIM selector
# used by the domain's outbound mail platform).
dig +short TXT selector1._domainkey.example.com
# The aggregate flow of DMARC reports is what gives the domain owner
# the visibility into spoofing attempts. Configure the rua= and ruf=
# tags in the DMARC record to point at an inbox you actually read.7.3 Process controls — callback verification, four-eyes, the wait
The process-control layer is where the highest-leverage anti-SE defenses sit. They are also the layer most resistant to deployment because they impose friction on legitimate workflows. The canonical process controls:
Out-of-band callback verification. For any out-of-band request (a phone call, an email) that requests sensitive action, the recipient verifies by initiating a callback through a known-good channel (the company directory, the published support number, the executive’s known mobile from a separate database). The callback breaks every voice-spoofing, voice-cloning, email-spoofing, lookalike-domain attack — the callback goes to the real person, not the attacker.
Four-eyes / dual-control on financial actions. Wire transfers above a threshold require approval from a second authorized person, ideally in a different reporting chain. The dual-control breaks BEC attacks that rely on a single finance-team member acting on an apparent executive instruction.
The mandatory wait. No urgent request will be acted on in less than 30 minutes. The wait gives time for cognitive load to decrease and for verification to happen. The wait is the single highest-leverage control against the urgency principle (§2.2). Implementation typically requires explicit policy support because the cultural pressure of “the executive is waiting” makes individual employees reluctant to impose the wait themselves.
Visitor escort and verified-visitor process. For physical entry, the verified-visitor process (every visitor pre-registered, every visitor signed in, every visitor escorted while in controlled space) breaks most of the §6 physical-entry pretexts. The verified-vendor list (every vendor pre-approved through procurement, vendor IDs checked at lobby) breaks the vendor-pretext class.
Verified-LE-channel process. Law-enforcement and regulator requests come through a verified channel (the legal team, the compliance office, the published abuse / LE-coordination email) rather than ad-hoc to individual employees. The verified channel includes warrant verification, jurisdiction verification, and authorization. The “fake EDR” attack class (§4.1) is the textbook reason this control exists.
The process layer is the layer that does not require sophisticated technology — it requires policy, culture, and enforcement. Many organizations have the policies on paper and miss them in practice; the gap is one of the most-cited sources of SE-attack success in incident-investigation literature.
7.4 The “human firewall” framing — partially true, partially misleading
The “human firewall” metaphor — popularized by the SAT industry (KnowBe4, Cofense, Proofpoint) and now widely adopted in security-awareness curricula — frames each employee as a security control: train them well and they become a defensive layer that complements the technical and process layers. The metaphor is partially useful — trained employees do, in fact, report phishing attempts at substantially higher rates than untrained employees (DBIR 2025 data: 21% vs 5%12) — and partially misleading in ways that the field’s working literature has increasingly acknowledged.
The misleading parts:
The click-rate-as-KPI trap. Measuring an awareness program by employee click-rate on simulated phishing emails drives behaviors that don’t actually reduce real-world incidents. Employees who click on the simulation are typically punished (extra training, public-shaming on team metrics, sometimes negative performance review impact); employees learn to game the metric (avoid clicking on anything that looks even slightly suspicious, including legitimate communications they need to act on) without actually improving their threat recognition. The Sherrod DeGrippo (formerly Proofpoint, now Microsoft) and the broader awareness-program research literature has been increasingly explicit that report-rate is the better metric — it measures the active behavior the security team actually wants (escalation of the suspicious to the security team), and it is not gameable in the same way that click-rate is.
The training-decay problem. Awareness training decays in efficacy over 4-6 months. Annual training is essentially exhausted before the next training cycle. Effective programs run continuous-simulation with monthly cadence (the canonical recommendation across SANS, KnowBe4, NIST 800-50 guidance); programs that train once a year and check the box are largely cosmetic.
The skilled-attacker / spear-phishing limit. Awareness training is effective against bulk / commodity phishing (employees learn to recognize the standard templates) and ineffective against well-prepared spear phishing (employees cannot recognize attacks that reference their real projects, real colleagues, real recent activity). The DBIR 2025 data showing 16% of breaches still come from phishing despite decades of awareness training is the empirical case that training has a floor.
The human-firewall responsibility-shift. The metaphor implicitly shifts security responsibility from the organization’s controls to individual employees. The employee who clicks on a sophisticated AiTM phishing email and exposes their session cookie is not the failure mode; the organization’s failure to deploy phishing-resistant MFA is the failure mode. The mature framing is that awareness is a complement to technical and process controls, not a substitute.
The working defender’s view is that awareness training is necessary but not sufficient: it has measurable benefit (report-rate doubles or quadruples with continuous-simulation programs); it is cheap relative to the technical-control stack; and it produces the security-culture signal that supports the process controls. But the organization that treats awareness training as its primary defense against SE has misallocated its investment — the technical-control stack and the process-control stack carry far more of the actual defense load.
7.5 The blue-team SE-response playbook
When an SE attack succeeds (or is suspected), the blue-team response follows a consistent playbook. The depth treatment is in Vol 10 §4; the SE-specific elements:
- Containment. If the suspected-compromised account is a high-value account, disable / suspend immediately; if the compromise is via session cookie (AiTM), invalidate all sessions for the account; if the compromise is via credential disclosure, force password reset.
- Forensic preservation. Preserve the email, the URL clicked, the landing page (snapshot it before it disappears), the captured browser history, any downloaded files. The forensic trail supports incident-response, supports threat-intel sharing, and supports any law-enforcement coordination if the incident warrants.
- Scope determination. Was this employee the only target? (Usually not — SE campaigns target multiple individuals.) Use the email gateway’s search-and-retract feature to identify other recipients of the same campaign; pull EDR telemetry to see whether other employees clicked or downloaded.
- Notification. Internal stakeholders (security team, IT, affected business unit, executive sponsor); external if required by regulation (HIPAA, GDPR, state breach-notification laws); the awareness program team for use as a teaching case (anonymized).
- Remediation. Reset all credentials potentially exposed; review and rotate any cryptographic material the compromised account had access to; reimage affected hosts if payload-staged compromise is confirmed; review and refine the gateway rules / detection signatures that missed the campaign.
- Lessons-learned and program update. Update the SAT phishing-simulation templates to include the variant that succeeded; update the SOC’s detection rules; update the process-control documentation if a process failure (callback skipped, four-eyes bypassed) was part of the chain.
The blue-team SE-response is not a one-incident operation — it is part of the continuous improvement loop that the SOC runs against all attack categories. Vol 12 §4 treats the purple-team validation of the SE-response controls — tabletop exercises, simulated SE incidents, the red-team-blue-team-purple-team feedback loop — at full depth.
7.6 The defense-countermeasure summary
| Defense layer | Specific control | Typical efficacy | Cross-link |
|---|---|---|---|
| Awareness — bulk phishing | Continuous-simulation program (monthly cadence) | High (click-rate 5% → 1-2%; report-rate 5% → 21%) | KnowBe4 / Cofense / Proofpoint platforms |
| Awareness — spear phishing | Same + targeted role-specific training | Medium (catches some; well-prepared spear phishing still lands) | Same as above |
| Awareness — BEC | Executive-targeted training + finance-team workflows training | Medium (process controls do most of the work) | Same + §7.3 process |
| Awareness — vishing | Annual role-specific training; SE-CTF-style exercises | Medium-low (process controls do most of the work) | Internal SOC + SANS curriculum |
| Awareness — physical entry | Tailgating-awareness training; visitor-challenge culture | Low-medium (social pressure favors attacker; mantraps do more) | Internal physical-security team |
| Email auth — SPF / DKIM / DMARC | DMARC p=reject at the org domain | High against sender-domain spoofing | RFC 7208 / 6376 / 7489 |
| Email gateway — URL rewriting | Microsoft Safe Links / Mimecast URL Protect / Proofpoint URL Defense | High against time-of-click malicious URLs | Gateway vendor docs |
| Email gateway — attachment sandboxing | Microsoft Safe Attachments / equivalent | High against payload-attached phishing; bypassed by URL-delivered | Gateway vendor docs |
| Email gateway — anti-BEC filters | Display-name spoofing detection; impersonation pattern matching | Medium-high against BEC-specific patterns | Gateway vendor docs |
| MFA — phishing-resistant | FIDO2 / WebAuthn / passkeys deployed for all users | Very high against AiTM; the only complete defense | Vendor MFA docs; NIST 800-63 |
| MFA — non-phishing-resistant (TOTP, SMS, push) | Microsoft Authenticator push, Authy, SMS codes | Medium against bare phishing; defeated by AiTM | Vendor MFA docs |
| EDR — post-delivery payload | CrowdStrike Falcon / SentinelOne / MDE | High against commodity payloads; medium against custom | Vol 10 §3.2 |
| Process — callback verification | Mandatory for all out-of-band requests above threshold | Very high against voice/email spoofing | §7.3 |
| Process — four-eyes on financial | Wire-transfer dual-control above threshold | Very high against BEC | §7.3 |
| Process — mandatory wait | 30-minute wait on all urgent unverified requests | High against urgency-driven decisions | §7.3 |
| Process — visitor escort + verified-visitor | Lobby check-in; pre-registered visitors; escort while in space | High against physical-entry pretexts | §6, §7.3 |
| Physical — mantrap | Two-door interlocked entry at controlled spaces | Very high against tailgating; medium friction | §6.1 |
| Physical — tailgate sensor | Beam-based or pressure-based at controlled doors | Medium-high; false-positive rate at high-traffic doors | §6.1 |
| Physical — modern credential (iCLASS SE / Seos / DESFire EV2+) | Cryptographic-authenticated cards | Very high against badge-cloning attack | Vol 15, §6.2 |
| Blue-team — IR playbook | Documented SE-response playbook; tabletop-exercised | High at incident response speed | Vol 10 §4, §7.5 |
| Purple-team — SE simulation | Authorized SE engagement against own organization | High for finding gaps before adversary | Vol 12 §4 |
Table 17.6 — The defender’s countermeasure summary against social engineering. The pattern: the highest-efficacy controls are technical (phishing-resistant MFA, mantrap, modern access-control cards, DMARC p=reject) and process (callback verification, four-eyes, mandatory wait). The awareness layer is necessary (report rate alone justifies it) but not sufficient on its own. The mature defender’s posture layers the three — technical to make the attack harder to land, process to make the action harder to take, awareness to make the suspicious easier to escalate. The “human firewall” framing is the cultural support layer; it is not the load-bearing defense.
7.7 The legal callout
The legal line — load-bearing callout. Every technique catalogued in this volume is dual-use, and the same actions that are legitimate under authorization are felonies without it. Phishing campaigns run without organizational authorization are wire fraud under 18 U.S.C. § 13432 and (when they obtain credentials or data) unauthorized access under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030.1 Vishing campaigns that elicit information by impersonating bank, law-enforcement, or government officials trigger wire fraud and impersonation-of-a-government-official statutes (18 U.S.C. § 912 for federal impersonation; state-level analogs). Smishing triggers wire fraud plus the TCPA (Telephone Consumer Protection Act, 47 U.S.C. § 227) on the messaging side. BEC — the executive-impersonation wire-fraud category — is the highest-recorded-dollar-loss federal fraud category, with FBI IC3 recording $3.04 billion in 2025 losses across 24,768 complaints,19 and is prosecuted aggressively as wire fraud, bank fraud, and computer fraud in combination. Physical entry without authorization is criminal trespass at the state level, burglary if the entry has criminal intent on the other side of the door, and “possession of burglary tools” if the operator is carrying the lock-picks / badge cloner / network implant. The OSINT phase is generally legal — collecting public information from public sources is not itself a crime — but tipping into pretext-based information-collection (calling a target’s employer’s HR department pretending to be a background-check provider, e.g.) crosses into wire fraud / impersonation territory. The federal-statute baseline is supplemented by the Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.)3 on the interception side and the Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028) on the identity-impersonation side. State-law analogs (California Penal Code § 502, New York Penal Law § 156, every state’s equivalent) layer on top, and the international landscape (UK Computer Misuse Act 1990, Germany’s StGB §§ 202a-202c, Australia’s Cybercrime Act 2001, the Budapest Convention on Cybercrime’s domestic implementations) provides the equivalent statutory framework outside the U.S. The frame is identical to Vol 16 §7 and the project-wide
legal_ethics.mdbaseline: own the systems and individuals you are testing, or have written authorization from people with authority to grant it, or stay on the defender’s side of the line. There is no research exception that survives prosecution. The Ducky Script deep dive Vol 16, the WiFi Pineapple deep dive Vol 19, and the eventual Vol 19 all treat this posture at depth — this section’s purpose is to make the legal frame load-bearing on this volume’s specific techniques, not to re-derive the whole statutory landscape.
8. Cross-reference index
The Vol 17 contribution to the canonical anchor index that Vol 21 consolidates. The nine H2 headings below are frozen append-only as of this volume’s first commit — renaming any of them changes the auto-generated vol17-<slug> anchor and silently breaks inbound links.
| From | Anchor target in Vol 17 | Context |
|---|---|---|
| Vol 6 §3 | #vol17-osint-the-reconnaissance-phase | White-hat sanctioned-engagement OSINT — the recon phase of authorized red-team and security-awareness work. |
| Vol 7 §3 | #vol17-phishing-vishing-smishing-the-delivery-channels | Black-hat criminal-economy phishing — the dominant initial-access vector across criminal intrusions. |
| Vol 7 §4 | #vol17-the-psychology-principles-se-exploits | Black-hat intrusion lifecycle — the SE-exploited cognitive shortcuts that gate initial access. |
| Vol 7 §4 | #vol17-pretexting-building-and-running-a-cover | Black-hat criminal pretext catalog — IT-help-desk, vendor-technician, executive-impersonation pretexts as criminal tradecraft. |
| Vol 8 §3 | #vol17-osint-the-reconnaissance-phase | Grey-hat security research using OSINT as primary investigation method. |
| Vol 10 §3 | #vol17-defense-awareness-programs-technical-controls-the-human-firewall-reality | Blue-team defender view — SAT platforms, email-auth stack, EDR for post-phishing payload, IR playbook. |
| Vol 11 §3 | #vol17-pretexting-building-and-running-a-cover | Red-team operator’s pretext catalog and cover-construction discipline. |
| Vol 11 §4 | #vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | Red-team engagement-lifecycle physical-entry layer at engagement-methodology depth. |
| Vol 11 §4 | #vol17-phishing-vishing-smishing-the-delivery-channels | Red-team initial-access phishing / vishing in sanctioned engagements. |
| Vol 12 §4 | #vol17-defense-awareness-programs-technical-controls-the-human-firewall-reality | Purple-team validation of SE countermeasures via tabletop and simulated-phishing exercises. |
| Vol 13 §3 | #vol17-osint-the-reconnaissance-phase | Sub-GHz reconnaissance as the RF analog of OSINT — both feed engagement preparation. |
| Vol 14 §3 | #vol17-phishing-vishing-smishing-the-delivery-channels | WiFi Pineapple rogue-AP + captive-portal as the Wi-Fi-delivered phishing channel. |
| Vol 15 §5 | #vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | Badge-cloning RFID/NFC chain as the technical-entry path. |
| Vol 16 §2 | #vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | HID-injection on an unattended desk after SE-enabled physical entry. |
| Vol 16 §6 | #vol17-pretexting-building-and-running-a-cover | The SE connective tissue between RF reconnaissance and physical-implant drop. |
| Vol 16 §6 | #vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | The physical-entry stage of the combined RF + physical-implant attack chain. |
| WiFi Pineapple deep dive | #vol17-phishing-vishing-smishing-the-delivery-channels | The Pineapple’s captive-portal + landing-page delivery stack for SE landing pages. |
| Ducky Script deep dive | #vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | The HID-injection payload delivered after SE-enabled physical entry. |
| Flipper Zero deep dive | #vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain | The Flipper Zero’s RFID / NFC subsystems as the field-portable badge-clone platform. |
| Vol 19 (Legal line & ethics) | #vol17-defense-awareness-programs-technical-controls-the-human-firewall-reality | Statutory framework (CFAA / wire fraud / ECPA / state analogs) that this volume’s §7.7 callout summarizes. |
| Vol 20 (Cheatsheet) | All §2 + §4 + §5 + §7 anchors | Cialdini-six field-card material; pretext-type table; phishing campaign lifecycle; defense layer. |
| Vol 21 (Glossary + canonical anchor index) | Every Vol 17 H2 anchor | Vol 21 consolidates the series anchor catalog. |
Table 17.7 — The Vol 17 cross-reference index. The pattern matches the rest of the reference cluster: hat volumes link out for the SE framing that applies to their hat (criminal economy for Vol 7, red-team engagement for Vol 11, defender posture for Vol 10, purple-team validation for Vol 12), the reference-cluster siblings hand off material at the seams (Vol 15 badge-cloning feeds §6 physical entry; Vol 16 combined workflows lean on §4 pretexting), tool deep dives link in for the technical-delivery stack (WiFi Pineapple for captive-portal delivery; Ducky Script for HID-injection follow-up; Flipper Zero for the badge-clone field tool), and the synthesis volumes consume Vol 17 anchors for cheatsheet and anchor-index roles. The append-only discipline on the H2 headings is what keeps this index stable across the deep-dive cluster.
The frozen H2 anchors as committed in this volume:
#vol17-about-this-volume#vol17-the-psychology-principles-se-exploits#vol17-osint-the-reconnaissance-phase#vol17-pretexting-building-and-running-a-cover#vol17-phishing-vishing-smishing-the-delivery-channels#vol17-physical-entry-tailgating-badge-clone-the-se-physical-chain#vol17-defense-awareness-programs-technical-controls-the-human-firewall-reality#vol17-cross-reference-index#vol17-resources
9. Resources
Primary references for Vol 17, organized by topic, with footnoted citations to the specific books, papers, statutes, and tool documentation.
Foundational academic psychology. Robert Cialdini’s Influence: The Psychology of Persuasion (William Morrow, 1984; revised expanded edition Harper Business, 2021)4 is the canonical academic framework for the six (now seven) principles of influence that the SE field operates on.6 Stanley Milgram’s Obedience to Authority (Harper & Row, 1974; based on the 1960s Yale experiments)5 is the foundational experimental evidence for the authority-deference principle. Daniel Kahneman’s Thinking, Fast and Slow (Farrar, Straus and Giroux, 2011)7 is the canonical reference for the System 1 / System 2 cognitive-decision framework that explains why urgency suppresses analytical thinking.
Practitioner manuals. Christopher Hadnagy’s Social Engineering: The Art of Human Hacking (Wiley, 2010) and its second edition retitled Social Engineering: The Science of Human Hacking (Wiley, 2018)8 are the canonical practitioner adaptations of the academic literature to the security-research context. Kevin Mitnick (with William L. Simon) The Art of Deception: Controlling the Human Element of Security (Wiley, 2002),10 The Art of Intrusion (Wiley, 2005), and Ghost in the Wires (Little, Brown, 2011) — the canonical Mitnick field-account trilogy. Hadnagy’s Phishing Dark Waters (Wiley, 2015) treats the phishing channel at full depth; Unmasking the Social Engineer (Wiley, 2014) treats body-language and non-verbal cues for in-person SE.
OSINT methodology and tools. Eliot Higgins’s We Are Bellingcat (Bloomsbury, 2021) is the principal monograph from Bellingcat’s founder.17 The Bellingcat Online Investigation Toolkit lives at https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ/edit (the canonical maintained OSINT resource list). The OSINT-Framework (Justin Nordine) at https://osintframework.com is the canonical category catalogue. Michael Bazzell’s Open Source Intelligence Techniques (now in its 10th edition as of 2024) is the dominant single OSINT practitioner manual. Maltego documentation: https://docs.maltego.com;15 SpiderFoot documentation: https://www.spiderfoot.net/documentation/;16 Recon-ng: https://github.com/lanmaster53/recon-ng; theHarvester: https://github.com/laramies/theHarvester; Sherlock: https://github.com/sherlock-project/sherlock; Have I Been Pwned (Troy Hunt): https://haveibeenpwned.com; Hunter.io: https://hunter.io; Shodan (John Matherly): https://www.shodan.io;13 Censys: https://censys.com.14
Phishing frameworks. Gophish (Jordan Wright, 2013): https://getgophish.com; source at https://github.com/gophish/gophish.22 Evilginx2 (Kuba Gretzky, 2017-2018): https://github.com/kgretzky/evilginx2; the author’s documentation at https://breakdev.org/author/kuba/.21 Modlishka (Piotr Duszyński): https://github.com/drk1wi/Modlishka. Muraena: https://github.com/muraenateam/muraena. Social-Engineer Toolkit / SET (Dave Kennedy / TrustedSec, ~2009-2010): https://github.com/trustedsec/social-engineer-toolkit.23 King Phisher (Spencer McIntyre / SecureState): https://github.com/rsmusllp/king-phisher.
Verizon DBIR. The Verizon Data Breach Investigations Report is the canonical annual breach-data reference. The 2025 edition: https://www.verizon.com/business/resources/reports/dbir/.11 12 Phishing is consistently in the top 3 initial-access vectors; the report-rate-vs-click-rate framing is well-established in DBIR commentary.
FBI IC3. The FBI Internet Crime Complaint Center’s annual Internet Crime Report. The 2025 edition: https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf.19 BEC consistently leads dollar-loss categories; the BEC-specific Public Service Announcements at https://www.ic3.gov document the campaign patterns and defender recommendations.
DEF CON Social Engineering CTF (SECTF). The annual capture-the-flag contest run by Social-Engineer LLC / Social-Engineer.org at DEF CON since 2009. Contest reports: https://www.social-engineer.org/defcon-2014-social-engineering-ctf-report-released/ (representative entry); the contest archive at the annual DEF CON proceedings pages.20 The contest data is the canonical longitudinal empirical evidence for vishing efficacy against Fortune 500 organizations.
Security awareness platforms. KnowBe4 (Stu Sjouwerman / Kevin Mitnick / TrustedSec lineage, founded August 2010): https://www.knowbe4.com;25 KnowBe4 timeline at https://www.knowbe4.com/knowbe4-timeline/. Cofense (Rohyt Belani / Aaron Higbee, founded 2008; rebranded from PhishMe 2018): https://cofense.com.26 Proofpoint Security Awareness Training: https://www.proofpoint.com/us/products/security-awareness-training. SANS Security Awareness: https://www.sans.org/security-awareness-training/. NIST SP 800-50 Building an Information Technology Security Awareness and Training Program (the canonical U.S. federal-guidance reference).
Lock-picking community and physical-security bypass. TOOOL (The Open Organisation Of Lockpickers, U.S. 501(c)(3) educational nonprofit): https://toool.us.24 Deviant Ollam’s bio and lockpicking page: https://deviating.net/lockpicking/. The CORE Group (Deviant Ollam’s physical-penetration consulting firm): https://thecoregroup.net. Practical Lock Picking (Deviant Ollam, Syngress, 2nd edition 2012) and Keys to the Kingdom (Syngress, 2012) are the canonical practitioner texts.
Email authentication standards. SPF — RFC 7208 (April 2014). DKIM — RFC 6376 (September 2011). DMARC — RFC 7489 (March 2015). Microsoft Defender for Office 365 Safe Links and Safe Attachments documentation at Microsoft Learn. NIST SP 800-177 Trustworthy Email (the consolidated federal guidance for email authentication deployment).
Legal framework. Computer Fraud and Abuse Act (18 U.S.C. § 1030).1 Federal wire fraud (18 U.S.C. § 1343).2 Electronic Communications Privacy Act (18 U.S.C. § 2510 et seq.).3 Identity Theft and Assumption Deterrence Act (18 U.S.C. § 1028). State analogs (California Penal Code § 502; New York Penal Law § 156; equivalent statutes in every state). International: UK Computer Misuse Act 1990, Germany’s Strafgesetzbuch §§ 202a-202c, Australia’s Cybercrime Act 2001, Council of Europe Cybercrime Convention (Budapest, 2001) and its domestic implementations. The project-wide legal_ethics.md baseline frames the operational posture; Vol 19, when authored, will treat the full statutory landscape.
Sibling Hack Tools deep dives — the technical-delivery depth that this volume deliberately doesn’t duplicate:
- WiFi Pineapple deep dive: the rogue-AP / captive-portal landing-page delivery stack
- Ducky Script deep dive: the HID-injection payload language delivered after SE-enabled physical entry
- Flipper Zero deep dive: the field-portable badge-cloning platform for the §6 physical-entry chain
Series cross-references in this volume. Vol 6 §3, Vol 7 §3, Vol 8 §3, Vol 10 §3, Vol 11 §3 for the hat-volume tooling treatments that link in for the SE capability and methodology framing. Vol 7 §4 for black-hat intrusion-lifecycle SE-context. Vol 11 §4 for red-team engagement-lifecycle SE-context. Vol 12 §4 for purple-team validation of the §7 defense countermeasures. Vol 13, Vol 14, Vol 15, Vol 16 for the reference-cluster siblings that feed the combined-workflow chains in §6. Vol 19, Vol 20, Vol 21 for the remaining synthesis volumes.
Footnotes
-
Computer Fraud and Abuse Act, 18 U.S.C. § 1030. The primary federal statute applicable to unauthorized SE-enabled access. The “without authorization” and “exceeds authorized access” language has been refined by case law including Van Buren v. United States, 593 U.S. ___ (2021), which narrowed the scope of “exceeds authorized access” to access of files/databases the person was not entitled to obtain. ↩ ↩2 ↩3
-
Federal wire fraud, 18 U.S.C. § 1343. The principal federal statute for fraudulent schemes executed via interstate wire communication (telephone, email, Internet). Most SE-enabled fraud — phishing, vishing, smishing, BEC — is prosecuted under wire fraud, often in combination with CFAA, bank fraud (18 U.S.C. § 1344), and identity-theft statutes. ↩ ↩2 ↩3
-
Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510 et seq. Includes the Wiretap Act (Title I) prohibiting interception of electronic communications; the Stored Communications Act (Title II) protecting stored communications at service providers; the Pen Register Act (Title III) regulating dialed-number recording. Applicable to SE-enabled credential-capture, session-cookie interception, and unauthorized monitoring. ↩ ↩2 ↩3
-
Robert B. Cialdini, Influence: The Psychology of Persuasion, William Morrow & Company, 1984 (first edition); revised expanded edition, Harper Business, 2021. The canonical academic framework for the six (now seven) principles of influence. Cialdini’s three-year undercover fieldwork at used-car dealerships, fundraising organizations, and telemarketing firms produced the empirical observations the book systematizes. Has sold over five million copies and been translated into 41+ languages. ↩ ↩2
-
Stanley Milgram, Obedience to Authority: An Experimental View, Harper & Row, 1974. The book-length treatment of the 1961-1962 Yale obedience experiments demonstrating that approximately 65% of subjects continued delivering apparent electric shocks to a confederate up to the maximum 450-volt level on the experimenter’s instruction. The experimental literature has been replicated extensively in the decades since with broadly consistent findings. Milgram’s original journal-paper publication: The Journal of Abnormal and Social Psychology, 67(4), 371-378 (1963). ↩ ↩2
-
The 2021 revised edition adds Unity — shared in-group identity between persuader and target — as the seventh principle. Cialdini frames Unity as the deepest form of similarity-based persuasion: not “we have things in common” but “we are the same kind of person.” For practical SE analysis the six classical principles plus the urgency / cognitive-load meta-layer capture the working set; Unity is a refinement that sometimes adds explanatory power for in-group pretexts. Influence, New and Expanded, Harper Business, 2021. ↩ ↩2
-
Daniel Kahneman, Thinking, Fast and Slow, Farrar, Straus and Giroux, 2011. The canonical synthesis of Kahneman’s life work on cognitive bias and the System 1 / System 2 dual-process model of human decision-making. Kahneman shared the 2002 Nobel Memorial Prize in Economic Sciences (with Vernon Smith) for the underlying research on prospect theory. The System 1 / System 2 framework is the dominant academic reference for explaining why urgency suppresses analytical thinking and why cognitive load reduces decision quality. ↩ ↩2
-
Christopher Hadnagy, Social Engineering: The Art of Human Hacking, Wiley, 2010 (first edition); Social Engineering: The Science of Human Hacking, Wiley, 2018 (second edition, retitled). The canonical practitioner adaptation of the academic influence literature to the security-research context. ISBN-13 9780470639535 (first ed.), 9781119433385 (second ed.). Hadnagy also published Phishing Dark Waters (Wiley, 2015) treating the phishing channel specifically and Unmasking the Social Engineer (Wiley, 2014) treating body-language and non-verbal cues. ↩ ↩2
-
Christopher Hadnagy departed Social-Engineer LLC and Social-Engineer.org in early 2022 amid public controversy following his temporary ban from the DEF CON conference. The Hadnagy methodology framework remains the canonical practitioner reference and is reproduced (with various refinements) in subsequent SE manuals; the per-person attribution should be read with awareness of the post-2022 context. ↩
-
Kevin D. Mitnick and William L. Simon, The Art of Deception: Controlling the Human Element of Security, Wiley, 2002. Foreword by Steve Wozniak. ISBN-13 9780471237129 (hardcover). The book is structured as a sequence of fictionalized field accounts of pretext-based attacks; each chapter walks a single attack from setup to payoff and then breaks down the principles that made it work and the controls that would have stopped it. The format established the practitioner-narrative tradition that subsequent SE literature has adopted. ↩ ↩2
-
Verizon Business, 2025 Data Breach Investigations Report, May 2025. The 18th annual edition. Phishing reported as the initial-access vector in ~16% of breaches in 2025 — third behind credential abuse (~22%) and vulnerability exploitation (~20%). ~60% of confirmed breaches involved a human action somewhere in the kill chain. https://www.verizon.com/business/resources/reports/dbir/. ↩ ↩2 ↩3
-
Verizon Business, 2025 DBIR — Human Element / Awareness Training section. Trained employees report simulated phishing at ~21% rate; untrained at ~5% rate. The fourfold increase in report rate is the canonical empirical case for continuous-simulation programs over annual checkbox training. ↩ ↩2 ↩3
-
John Matherly’s Shodan was founded in 2009 as the “search engine for Internet-exposed devices” — scans the public IPv4 (and IPv6) address space and catalogues banner data, certificates, software versions, and exposed services. Remains the dominant single tool in its category. https://www.shodan.io. ↩ ↩2
-
Censys was founded in 2013 as a Michigan University research spinoff from the ZMap fast Internet-scanning project (Zakir Durumeric et al.). Censys provides a more research-oriented data model than Shodan, including historical-data deep dives, certificate-transparency mining, and BGP-aware enumeration. https://censys.com. ↩ ↩2
-
Maltego was developed by Paterva, founded in 2007 by Roelof Temmingh (with co-founders Andrew MacPherson and Chris Bohme). Maltego Community Edition is free; Maltego Pro / Enterprise / Investigator are commercial. Documentation at https://docs.maltego.com. Paterva renamed itself Maltego Technologies in 2020. https://www.maltego.com. ↩ ↩2
-
SpiderFoot was created by Steve Micallef. The project began ~2012-2013 as an open-source automation framework for OSINT; SpiderFoot HX is the commercial hosted version. Acquired by Intel 471 in November 2022. https://www.spiderfoot.net; source at https://github.com/smicallef/spiderfoot. ↩ ↩2
-
Bellingcat was founded by Eliot Higgins in July 2014 as a citizen-journalism / open-source-investigation collective. Initially focused on the Syrian civil war (Higgins’s pre-Bellingcat “Brown Moses” blog had built the methodology from 2012-2014). Subsequently published investigations into MH17, the Skripal-poisoning Russian FSB operation, multiple election-interference investigations, and Russian military operations in Ukraine post-2022. https://www.bellingcat.com. Methodology resources at https://www.bellingcat.com/category/resources/. ↩ ↩2
-
The “fake EDR” (fake emergency disclosure request) attack class — criminals impersonating law enforcement to extract user data from major social-media and tech platforms via faked emergency-disclosure requests — gained substantial attention in 2022-2024. Bloomberg’s March 2022 reporting documented dozens of incidents across Discord, Meta, Apple, and Snap. The attack typically exploits a compromised law-enforcement email account or a freshly-registered lookalike domain plus pressure on the platform’s trust-and-safety team to act quickly on an apparent life-or-death request. ↩
-
Federal Bureau of Investigation, Internet Crime Complaint Center (IC3) 2025 Annual Report. Total reported cybercrime losses ~$20.9 billion; BEC losses $3.04 billion across 24,768 BEC complaints; multi-year BEC losses 2022-2024 totaled ~$8.5 billion. https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf. ↩ ↩2 ↩3
-
The DEF CON Social Engineering Capture The Flag (SECTF) has been run by Social-Engineer LLC / Social-Engineer.org at DEF CON since 2009. Contest format: participants are assigned a target Fortune 500 company; have a fixed OSINT-collection window; then a fixed live-calling window during which they attempt to extract “flags” (specific pieces of corporate information) from target-organization employees. The contest data is the canonical longitudinal empirical evidence for vishing efficacy. Reports archived at https://www.social-engineer.org/category/defcon/. ↩ ↩2
-
Evilginx is an Adversary-in-the-Middle (AiTM) phishing framework developed by Kuba Gretzky. First mentioned in Gretzky’s blog April 2017; rewritten in Go as Evilginx2 in 2018; current public version is feature-limited (Evilginx Pro is sold privately to vetted security firms only). The AiTM technique captures both credentials and post-MFA session cookies, defeating all forms of MFA except phishing-resistant MFA (FIDO2 / WebAuthn / passkeys). https://github.com/kgretzky/evilginx2; author’s blog at https://breakdev.org/author/kuba/. ↩ ↩2
-
Gophish is an open-source phishing framework developed by Jordan Wright, originally released in 2013. Provides campaign management, landing-page hosting, credential capture, and per-recipient tracking. The most-cited single open-source phishing framework in security-awareness-team deployments. https://getgophish.com; source at https://github.com/gophish/gophish. ↩ ↩2
-
The Social-Engineer Toolkit (SET) was created by Dave Kennedy, originally released ~2009-2010. Kennedy founded TrustedSec in 2011 and SET has been maintained under TrustedSec since. Python-driven framework with modules for phishing, cloned-website attacks, USB-attack staging, mass-mailing, and SMS attacks. Bundled with Kali Linux. https://github.com/trustedsec/social-engineer-toolkit. ↩ ↩2
-
TOOOL — The Open Organisation Of Lockpickers — is a 501(c)(3) educational nonprofit with U.S. chapters in major cities. Founded in the Netherlands; the U.S. division was established in the late 2000s. Substantial annual presence at DEF CON, ShmooCon, and adjacent security conferences. https://toool.us. Deviant Ollam served on the U.S. board for 14 years. ↩ ↩2
-
KnowBe4 was founded in August 2010 by Stu Sjouwerman; Kevin Mitnick joined as Chief Hacking Officer in 2011 when KnowBe4 acquired Mitnick Security Consulting. Mitnick remained Chief Hacking Officer until his death in 2023. KnowBe4 IPO’d in April 2021 (NASDAQ:KNBE) and was taken private in February 2023 by Vista Equity Partners in a ~$4.6 billion acquisition. https://www.knowbe4.com. Company timeline at https://www.knowbe4.com/knowbe4-timeline/. ↩ ↩2
-
Cofense was founded as PhishMe in 2008 by Rohyt Belani and Aaron Higbee, with the company formally launching its commercial product in 2011 (some sources cite 2011 as the founding year for this reason). Rebranded as Cofense in February 2018 after a BlackRock-led private-equity acquisition valued at ~$400 million. https://cofense.com. ↩ ↩2