Social Engineering

Explore vishing/smishing tactics, tools, real-world cases, and prevention strategies for red teamers and pen testers.

This article discusses advanced social engineering techniques, spear phishing, and whaling for a technical audience, including OSINT, psychology of trust, and elements of effective and ineffective attacks.

A working operator’s view of pretexting in 2026. Cialdini’s six (plus one) principles applied to actual engagements, building a legend that survives a target’s google check, handling the “let me verify with my manager” pushback, and the modern landscape after Scattered Spider’s MGM/Caesars helpdesk attacks, AI voice cloning, STIR/SHAKEN, and AiTM kits eating MFA fatigue’s lunch.

A walk through the modern phishing campaign architecture from an operator’s seat. Domain warming, redirector tiers, ASN and geo cloaking, CAPTCHA gates to defeat sandbox click-time URL scanning, HTML smuggling via the Blob API, SVG smuggling, and homograph tricks. Plus the current state of the arms race in 2026 with AiTM kits like Tycoon and EvilProxy, and what defenders should actually focus on.

A working guide to social engineering for red team engagements. Covers Cialdini’s six principles of persuasion as they’re actually used in pretexting, OSINT for building a credible story, Adversary-in-the-Middle phishing against MFA-protected accounts, MFA fatigue, vishing, physical entry, and how to write findings up without throwing individual employees under the bus.