As technology becomes more advanced, the “hardest” target to hack is no longer the firewall - it’s the person sitting behind it. Social engineering is the art of manipulating human behavior to achieve a goal. It exploits the weakest link in any security chain: the human element.

The most sophisticated EDR, the most hardened perimeter, the most complex password policy - all of it can be bypassed by a convincing email or a well-crafted phone call. According to Verizon’s Data Breach Investigations Report, the human element is involved in over 74% of breaches, with phishing and pretexting being primary attack vectors. As red teamers, we must master this domain not to “trick” people, but to demonstrate organizational risk and improve security awareness.

In this comprehensive article, we’ll explore the psychological foundations of influence, Open Source Intelligence (OSINT) methodologies for building pretexts, technical attack vectors like Adversary-in-the-Middle (AitM) phishing, and the physical and voice-based techniques that round out a professional red team engagement.

1. The Foundation: Psychology of Persuasion

To be a successful social engineer, you must understand the psychological triggers that make people comply with requests. These are not “tricks” - they are fundamental aspects of human cognition that evolution has hardwired into our brains.

Cialdini’s 6 Principles of Influence

Dr. Robert Cialdini, in his seminal book “Influence: The Psychology of Persuasion,” identified six core principles that govern human decision-making. Red teamers weaponize these daily.

1. Authority

People are conditioned from childhood to obey authority figures - parents, teachers, bosses, experts. In a corporate environment, an email from “the CEO” or a call from “IT Security” triggers automatic compliance.

Red Team Application: “This is David from IT Security. We’ve detected unusual activity on your account. I need you to verify your identity by…”

2. Scarcity

Fear of missing out (FOMO) creates urgency. When something is limited or exclusive, we want it more.

Red Team Application: “This training enrollment link expires in 30 minutes. Complete your security awareness certification now.”

3. Urgency/Fear

When people are afraid or under time pressure, their critical thinking shuts down. They revert to automatic, compliant behavior.

Red Team Application: “Your account will be suspended in 24 hours if you don’t verify your information immediately.”

4. Consistency and Commitment

Once someone commits to something small, they are psychologically driven to remain consistent with that commitment. This is the “foot in the door” technique.

Red Team Application: Start with a simple request (“Can you confirm your department?”) before escalating (“Great, can you click this link to verify?”).

5. Liking and Rapport

We are more likely to comply with requests from people we like. Similarity, compliments, and cooperation all build rapport.

Red Team Application: “I saw you went to State University too! Go Wildcats! Hey, I’m stuck on this project, would you mind taking a quick look at this document?”

6. Reciprocity

When someone does something for us, we feel obligated to return the favor. This is one of the most powerful influence levers.

Red Team Application: “I noticed your password was about to expire, so I went ahead and extended it. By the way, could you help me test this new portal?”

Cognitive Biases in Social Engineering

Beyond Cialdini’s principles, several cognitive biases are exploited:

  • Trust Bias: We tend to trust by default until proven otherwise.
  • Optimism Bias: “It won’t happen to me.”
  • Halo Effect: If someone seems professional/competent in one area, we assume they are in all areas.
  • Confirmation Bias: We interpret information in ways that confirm our existing beliefs.
  • Authority Bias: We defer to perceived experts even when we shouldn’t.

2. OSINT: The Reconnaissance Phase

A successful pretext is built on high-quality intelligence. Before a red teamer ever makes a call or sends an email, they perform deep reconnaissance. The goal is to know enough about the target organization and specific individuals to be utterly convincing.

Corporate Intelligence

LinkedIn:

  • Organizational Structure: Who reports to whom? Who are the executives?
  • New Hires: New employees are often the most vulnerable - they’re eager to please and unfamiliar with processes.
  • Departures: Recently departed employees might be impersonated, or their former colleagues might be targeted.
  • Technology Stack: Endorsements and skills reveal what tools they use.

Job Postings: Job descriptions are intelligence goldmines:

  • “Must have experience with CrowdStrike” (reveals their EDR)
  • “Familiarity with Pulse Secure VPN required” (reveals their VPN)
  • “Microsoft 365 administration experience” (reveals their email platform)

Company Website:

  • Press releases for recent events, acquisitions, and executive changes.
  • “Meet the Team” pages for names, titles, and photos.
  • Investor relations for financial data and business strategy.

Individual Intelligence

Social Media:

  • Facebook/Instagram: Personal details, family members, hobbies, vacation schedules.
  • Twitter/X: Professional opinions, complaints about work, conference attendance.
  • Reddit: Technical questions (often with specific error messages revealing software versions).

Data Breaches: Services like HaveIBeenPwned, DeHashed, and Intelligence X reveal:

  • Compromised Passwords: Often reused across personal and corporate accounts.
  • Password Patterns: If their personal password is Fluffy2020!, their work password might be Company2024!.
  • Email Addresses: Personal emails linked to work identities.

Technical Reconnaissance

Email Infrastructure:

1
2
3
4
5
6

# Identify mail servers
dig MX target.com

# Check for SPF, DKIM, DMARC
dig TXT target.com
dig TXT _dmarc.target.com

A weak or missing DMARC policy (p=none) means you can spoof emails from their domain.

Subdomain Enumeration: Finding portals, VPNs, and web applications:

1
2

subfinder -d target.com
amass enum -d target.com

3. Phishing: Email-Based Attacks

Phishing is the most common social engineering vector. It ranges from mass “spray and pray” campaigns to highly targeted “spear phishing.”

Types of Phishing

  • Bulk Phishing: Generic emails sent to thousands. Low effort, low success rate.
  • Spear Phishing: Targeted at specific individuals or roles. Higher effort, much higher success rate.
  • Whaling: Spear phishing targeting executives (the “big fish”).
  • Clone Phishing: Copying a legitimate email and replacing links/attachments with malicious ones.
  • Business Email Compromise (BEC): Impersonating executives to request wire transfers or sensitive data.

Anatomy of a Phishing Email

Key Elements:

  1. Sender Address: Spoof a trusted domain or use a lookalike (e.g., rn instead of m in microsoft -> rnicrosoft.com).
  2. Subject Line: Create urgency or relevance (“Urgent: Payroll Issue” or “Your package is waiting”).
  3. Body: Build a narrative that justifies the call to action.
  4. Call to Action: Click a link, open an attachment, reply with information.
  5. Footer/Signature: Mimic the organization’s branding and legal disclaimers.

Phishing Infrastructure with GoPhish

GoPhish is the industry standard for phishing simulations and red team campaigns.

1
2
3
4

# Install GoPhish
wget https://github.com/gophish/gophish/releases/latest/download/gophish-linux-64bit.zip
unzip gophish-linux-64bit.zip
./gophish

GoPhish provides:

  • Campaign management
  • Email template creation
  • Landing page hosting
  • Real-time tracking of opens, clicks, and submissions
  • Reporting for engagement metrics

Modern Phishing: Bypassing MFA with AitM

Standard credential harvesting is declining in effectiveness because of Multi-Factor Authentication (MFA). Red teamers have adapted with Adversary-in-the-Middle (AitM) attacks.

How AitM Works:

  1. User receives phishing email with a link to your server.
  2. Your server proxies the request to the real login page (Microsoft 365, Okta, Google Workspace, etc.).
  3. User enters credentials; your proxy captures them and forwards to the real site.
  4. User completes MFA; the real site issues a Session Cookie.
  5. Your proxy intercepts and stores the session cookie.
  6. With the session cookie, you can access the user’s account without needing the password or MFA token again.

Key Tools:

  • Evilginx2: The original and most popular AitM framework.
  • Muraena: Similar functionality with a modular architecture.
  • Modlishka: Reverse proxy for credential and session harvesting.
  • EvilnoVNC: Captures session through a headless browser.

Evilginx2 Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Start Evilginx2
sudo ./evilginx2

# Configure a phishlet (e.g., for Microsoft 365)
config domain yourdomain.com
config ipv4 <your_server_ip>
phishlets hostname o365 login.yourdomain.com
phishlets enable o365

# Generate a lure (phishing URL)
lures create o365
lures get-url 0

[!WARNING] AitM attacks against real users without authorization is illegal. Use these techniques only in authorized red team engagements with proper scoping.

MFA Fatigue (Push Bombing)

If you have valid credentials but cannot bypass MFA via AitM, MFA Fatigue is an option. You trigger MFA push notifications repeatedly until the user approves one out of frustration or confusion.

Technique:

  1. Obtain valid username and password (from breach data, phishing, or password spraying).
  2. Attempt login, triggering an MFA push to the user’s phone.
  3. If denied, immediately try again. And again.
  4. Continue at all hours, especially 2:00 AM.
  5. Eventually, the user approves (either by accident or to stop the noise).

This technique was used in the 2022 Uber breach (Lapsus$ group) and the Cisco breach (also 2022).

Combining with Vishing: Instead of brute-forcing approvals, call the user: “Hi, this is IT Security. We’re seeing repeated authentication attempts from your account. It looks like someone is trying to access your account. To secure it, I need you to approve the next MFA prompt so we can verify it’s you and not the attacker.”

4. Vishing: Voice Phishing

Vishing (Voice Phishing) is social engineering over the phone. It requires strong improvisational skills and nerves of steel, but it can be devastatingly effective because:

  • It’s real-time and personal.
  • The target cannot easily verify your identity.
  • Humans are conditioned to be polite on the phone.

Caller ID Spoofing

Always spoof your caller ID to match a trusted number - the corporate helpdesk, the target’s bank, or even their own company’s main line.

Tools:

  • SpoofCard and similar services.
  • VoIP providers that allow arbitrary caller ID.
  • Twilio or Vonage for programmatic calls.

The Pretext Call Framework

Opening:

  • Identify yourself with authority: “Hi, this is Mark from the IT Security team.”
  • Establish legitimacy: “I’m calling from extension 4521.”
  • Create urgency: “We’ve detected some unusual activity on your account.”

Build Rapport:

  • Empathize: “I know this is inconvenient, I’m so sorry to bother you.”
  • Share a “common enemy”: “These attackers are relentless, but we’re working hard to keep everyone safe.”

The Ask:

  • Start small: “Can you confirm your employee ID?”
  • Escalate: “I need you to verify your identity by reading me the code I’m about to send.”
  • Direct action: “Please go to this URL and log in so we can verify your session.”

Handling Objections:

  • “I don’t feel comfortable with this.” -> “I completely understand. Let me give you the helpdesk number so you can call back and verify.” (Give them a spoofed number that rings back to you.)
  • “Can I call you back?” -> “Of course! My direct line is [spoofed number]. But please call within the next 10 minutes before your account is locked for security.”

Background Audio

Professional vishers use background noise to enhance legitimacy:

  • Call center sounds
  • Keyboard typing
  • Office chatter

This can be achieved with audio loops played through a virtual audio device.

5. Smishing: SMS-Based Attacks

Smishing (SMS Phishing) is highly effective because:

  • SMS has higher open rates than email.
  • Links in SMS are harder to inspect.
  • Mobile browsers hide full URLs.

Example Smishing Messages:

  • “Package delivery failed. Reschedule: [link]”
  • “ALERT: Your bank account has been locked. Verify: [link]”
  • “Your MFA code is 123456. If you did not request this, secure your account: [link]”

Use URL shorteners (bit.ly, is.gd) or your own redirector domain to mask the actual phishing domain.

6. Physical Social Engineering

Getting inside a building is often easier than getting through a firewall. Physical social engineering (or “physical intrusion testing”) is a core component of many red team engagements.

Tailgating

Following an authorized person through a secured door. It’s surprisingly easy - people hold doors open for strangers out of politeness.

Techniques:

  • Carry a box or coffee cups (both hands full).
  • Time your approach to coincide with smokers returning from a break.
  • Arrive during shift changes or lunch when doors are busy.

Pretexting as a Vendor

A high-visibility vest, a clipboard, and a confident demeanor make you invisible. Popular pretexts:

  • IT Support: “I’m here to fix the printer on the 3rd floor.”
  • Fire Inspector: Clipboard, vest, and a flashlight.
  • HVAC Technician: “We got a work order about the AC.”
  • Delivery Person: Carry a large box with a fake shipping label.

Badge Cloning

RFID access badges can often be cloned using devices like the Proxmark3 or Flipper Zero.

Process:

  1. Get close to an employee’s badge (elevator, cafeteria).
  2. Covertly read the badge with a hidden reader.
  3. Clone the data to a blank card.
  4. Walk through the front door.

Many legacy access control systems use unencrypted protocols (like HID 125kHz) that are trivially cloneable. Modern systems use encrypted protocols (iClass SE, SEOS), which are harder but not impossible.

Baiting

Leaving infected USB drives in the parking lot, lobby, or break room. Curious employees plug them in, executing your payload. The USB can be labeled with enticing text: “Confidential - Q4 Bonus Report.”

Tools like USB Rubber Ducky or Bash Bunny automate the payload delivery.

7. The Social Engineering Toolkit (SET)

The Social Engineering Toolkit (SET) by TrustedSec is a Python-based framework that automates many social engineering attacks.

1
2
3
4
5

# Clone and install
git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit
pip install -r requirements.txt
python setoolkit

Key Features:

  • Website cloning for credential harvesting
  • Spear-phishing attack vectors
  • Infectious media generator (USB payloads)
  • SMS spoofing (through Twilio)
  • PowerShell attack vectors

8. Real-World Case Studies

The Twitter Hack (2020)

Attackers used vishing to target Twitter employees working remotely during COVID-19. By impersonating IT support and leveraging real employee information gathered via OSINT, they obtained credentials to internal admin tools. The result: takeover of high-profile accounts (Barack Obama, Elon Musk, Apple) for a Bitcoin scam.

Lessons:

  • Remote work environments increase vishing vulnerability.
  • Internal tools should have separate MFA from corporate accounts.

The Uber Breach (2022)

The Lapsus$ group obtained an Uber contractor’s credentials (likely from the dark web). They then used MFA fatigue, sending repeated push notifications for over an hour. When the contractor finally approved (reportedly after the attacker contacted them on WhatsApp, posing as IT), the attackers gained access. They then found hardcoded credentials in PowerShell scripts, leading to AWS, Google Workspace, and other critical systems.

Lessons:

  • MFA fatigue is a real threat.
  • Hardcoded credentials are a gift to attackers.

The RSA Breach (2011)

Attackers sent phishing emails with the subject “2011 Recruitment Plan” to RSA employees. An Excel spreadsheet exploited a zero-day Flash vulnerability, installing a backdoor. The attackers exfiltrated data related to SecurID, RSA’s flagship MFA product. This data was later used in attacks against defense contractors.

Lessons:

  • Spear phishing can bypass technical controls.
  • A breach at one company can enable attacks on others.

9. Reporting and Ethics

Professional Reporting

Social engineering findings require sensitive handling in reports:

  • Do not name or shame individual employees.
  • Focus on systemic issues, not personal failures.
  • Provide statistics (e.g., “23% of recipients clicked the link”) rather than individual lists.
  • Recommend training and process improvements.

Ethical Considerations

  • Informed Consent: The organization must authorize the engagement. Individual employees do not consent, which creates ethical complexity.
  • Proportionality: The pretext should be realistic but not traumatizing. Avoid pretexts involving death, illness, or personal tragedy.
  • Debriefing: Consider whether employees will be debriefed on the campaign. If so, do it with empathy.
  • Legal Boundaries: Understand laws around caller ID spoofing, email spoofing, and unauthorized access in your jurisdiction.

10. Defenses Against Social Engineering

Understanding attacks helps us build defenses:

  • Security Awareness Training: Regular, engaging training with simulated phishing.
  • Phishing Reporting Mechanisms: Make it easy for employees to report suspicious emails.
  • MFA Hardening: Use phishing-resistant MFA (FIDO2/WebAuthn) instead of push notifications.
  • Email Security: Implement DMARC, SPF, and DKIM; use email filtering with sandbox analysis.
  • Verification Procedures: Require out-of-band verification for sensitive requests (e.g., wire transfers).
  • Physical Security: Enforce badge-in policies, eliminate tailgating, use camera surveillance.
  • Zero Trust: Assume compromise and verify continuously.

Conclusion

Social engineering is not about “tricking” people; it’s about understanding the human operating system. By combining psychological principles with high-quality OSINT and modern technical tools like Evilginx2, a red teamer can bypass the most expensive technical controls in the world. The human element is both the greatest vulnerability and the greatest potential asset in any security program.

As always, remember that we do this to help organizations get stronger. Respect your targets (the employees are not the enemy - poor security culture is), keep the pretext professional, and always debrief with empathy.

Happy hunting!

References