Skip to main content
UncleSp1d3r Blog
  1. Posts/

Hacking the Human: A Red Teamer's Guide to Social Engineering

··4537 words·22 mins·
Table of Contents

The “users are the weakest link” framing is the most exhausting cliche in security, and like most exhausting cliches it’s about 70% true. Verizon’s 2024 DBIR put the human element in 68% of breaches, down from 74% the year before. The drop is methodological — they excluded malicious insiders from the new calculation; on the new method, last year’s equivalent figure was 64%, so human involvement actually ticked up slightly. Phishing, pretexting, and stolen credentials remain the dominant initial-access vectors for everything from ransomware to nation-state ops. As a red teamer, this is also where you spend a lot of your time, because it works.

What this post tries to do is treat social engineering as a craft rather than a gimmick. Cialdini’s persuasion principles are real but they’re applied tools, not party tricks. OSINT is the boring 80% of the work that makes the call sound legitimate. AitM phishing is the current state of the art against MFA-protected accounts, and MFA fatigue is what you fall back on when AitM doesn’t fit the engagement. None of this is about “tricking” people in a malicious sense — it’s about demonstrating, in writing, the gap between an organization’s security policy and how the organization actually behaves under pressure.

The persuasion principles you’ll actually use
#

Robert Cialdini’s Influence: The Psychology of Persuasion (1984) is the foundational text. He identified six principles there; a seventh (“unity”) came in his 2016 follow-up Pre-Suasion and was folded into the 2021 expanded edition of Influence. The six that matter for pretexting work are reciprocity, commitment and consistency, social proof, authority, liking, and scarcity. They’re not magic — they’re cognitive shortcuts that people use because thinking carefully about every interaction is exhausting and most of the time the shortcut works fine. A pretext exploits the shortcut.

A few of these come up constantly in social engineering work.

Authority
#

People defer to people who appear to be in charge or to have expertise. In a corporate environment, “IT Security” or “the CFO’s office” is enough authority for most employees to comply without verifying. The classic pretext opener is some version of “Hi, this is David from IT Security. We’ve detected some unusual sign-in activity on your account and I need to verify a few things with you.”

This works on new hires especially well. They’re still building their model of who’s allowed to ask them for what.

Scarcity and urgency
#

Time pressure shuts off the slow, deliberate part of cognition and leaves you with the fast, intuitive part. “Your account will be suspended in 24 hours if you don’t verify your information now” is the cheap version. The expensive version is to attach the urgency to something specific the target actually cares about — a payroll deadline, a board meeting, a customer escalation — which is why pretexting starts with OSINT.

(Cialdini lists scarcity as a single principle. The urgency framing most security training conflates with it is really the time-pressure cousin: limited-time-only versus limited-supply.)

Commitment and consistency
#

Once someone says yes to a small thing, they’re psychologically biased to say yes to a slightly larger thing that follows. This is the “foot in the door” pattern. A vishing call that opens with “Hi, can you confirm your department for me real quick?” gets a yes the target doesn’t even register as a commitment, and that yes makes the next ask easier to grant. The full pretext might run fifteen escalating asks, each one only slightly bigger than the last.

Liking
#

People comply more readily with people they like, and we like people who seem similar to us, who compliment us, or with whom we share an in-group. A pretext that opens with “I saw on LinkedIn you went to State too — go Wildcats” before getting to the ask is exploiting this directly. The “similarity” bit is also why a phishing email pretending to be from a peer in another department lands harder than one pretending to be from the CEO.

Reciprocity
#

When someone does something for you, you feel obligated to return the favor — even if you didn’t ask for the favor and it cost the giver nothing. A pretext call that opens with “I noticed your password is about to expire so I went ahead and extended the grace period for you. Hey, while I’ve got you, could you help me with…” is loaded with manufactured reciprocity.

Social proof
#

If everyone else is doing it, it must be okay. This is the one most red teams underuse. A phishing email that says “your colleagues in Finance have already completed the new compliance training, please complete yours today” is using social proof. So is a vishing pretext where the visher mentions other employees by name who supposedly already verified their identities.

Cognitive biases worth knowing
#

A handful of biases come up alongside the persuasion principles:

  • Trust bias — people default to trusting until they have a reason not to. The reason is rarely surfaced.
  • Optimism bias — “it won’t happen to me,” and especially “it won’t happen to me because I would totally catch a phishing email.”
  • Halo effect — competence in one observable area gets extended to all areas. A confident voice on the phone reads as competent, which reads as legitimate.
  • Confirmation bias — once a target has decided the call is legitimate, they reinterpret subsequent weirdness in ways that fit that decision.

These are not exotic. They’re the same biases that make people stay in bad relationships and overrate their own driving. The point is that they’re load-bearing for every real social engineering attack.

OSINT: the boring part that decides everything
#

A pretext call that gets caught in the first thirty seconds is a pretext that didn’t do enough reconnaissance. OSINT is where the actual work lives, and it determines whether the rest of the engagement is plausible or laughable.

Corporate intelligence
#

LinkedIn is the single most useful tool. The org chart, who reports to whom, who’s new, who recently left, what technologies people list as skills — all of this is right there, for free, with the company’s blessing. The new-hire angle is especially valuable: a person three weeks into a job is unlikely to know the IT helpdesk by voice and is desperate not to get anything wrong on their first onboarding-related interaction. Recently departed employees are an option too, both as an impersonation target and as a reason to call their old team.

Job postings are an intelligence channel that most companies don’t think about. “Must have experience with CrowdStrike” tells you the EDR. “Familiarity with Pulse Secure VPN required” tells you the VPN appliance. “Microsoft 365 administration experience” tells you the email platform. A careful read through three months of job postings can give you a fairly complete picture of an organization’s tech stack.

Press releases, the “meet the team” page, investor relations decks, the support knowledge base — all of these are public, and all of them feed into a believable pretext.

Individual intelligence
#

Social media is the personal-life half. Facebook and Instagram for family, hobbies, and vacation schedules. Twitter or X for professional opinions, conference attendance, and the occasional unguarded complaint about work. Reddit can be gold because people ask technical questions there and post error messages that reveal software versions.

Data-breach repositories — HaveIBeenPwned for confirmations, DeHashed and Intelligence X if you have valid legal authorization to query historical credentials — show password patterns and reused credentials. If a target’s personal password from a 2017 breach was Fluffy2020!, their current work password is plausibly Company2024!. Password reuse and predictable rotation patterns are still endemic.

Technical reconnaissance
#

The email infrastructure is worth a few minutes:

dig MX target.com               # mail servers
dig TXT target.com              # SPF
dig TXT _dmarc.target.com       # DMARC
dig TXT default._domainkey.target.com  # DKIM (selector varies)

A p=none DMARC policy means the receiving server will accept spoofed mail from their domain without rejection. A p=quarantine is meaningfully better. A p=reject with strict alignment is the only one that actually stops a from-the-domain spoof. You’d be surprised how many large organizations are still at p=none.

Subdomain enumeration finds portals, VPN gateways, dev environments, and old marketing sites:

subfinder -d target.com
amass enum -passive -d target.com

The dev environments and old marketing sites are usually the weak side of the perimeter.

Phishing
#

Phishing is still the highest-volume social engineering vector by an order of magnitude. The interesting variants are the ones that bypass MFA, which is the rest of this section. Generic credential harvesters that just ask for a password are mostly a 2014 problem.

The taxonomy
#

  • Bulk phishing: a wide cast, low effort, low success rate per email but enormous volume.
  • Spear phishing: aimed at a specific person or role, with a pretext built from OSINT. Much higher success rate.
  • Whaling: spear phishing aimed at executives. Same techniques, higher reward, often more scrutiny on the way in.
  • Clone phishing: copy a legitimate email the target has already received and replace the link or attachment.
  • Business Email Compromise (BEC): impersonate an executive to authorize a wire transfer or data exfil. The most expensive variant in dollar terms; the FBI’s IC3 puts annual BEC losses in the multi-billion range.

Anatomy of the email itself
#

Five elements:

  1. Sender — a spoofed domain (if DMARC allows it), a typosquat (rnicrosoft.com for microsoft.com), or a freshly registered lookalike domain. Domain age and reputation matter for deliverability.
  2. Subject — urgency or relevance. “Action required: Payroll” or “Re: your earlier message about Q4” if you can fake a reply.
  3. Body — a narrative that justifies the call to action. This is where OSINT does most of its work.
  4. Call to action — click, open, reply. One per email.
  5. Footer — corporate branding, legal disclaimers, the right unsubscribe link. Most phishing emails get caught by missing footers.

Infrastructure with GoPhish
#

GoPhish is the standard open-source framework for managing phishing campaigns. Campaign templates, tracked landing pages, real-time open/click/submit telemetry, and the kind of reporting that actually lets you write up findings.

wget https://github.com/gophish/gophish/releases/latest/download/gophish-linux-64bit.zip
unzip gophish-linux-64bit.zip
./gophish

GoPhish on its own is fine for credential harvesting against unprotected accounts. Against MFA you need AitM.

Adversary-in-the-Middle (AitM)
#

MFA killed traditional credential phishing. AitM is the current answer. Instead of capturing a username and password and trying to log in later, you stand up a reverse proxy that sits between the user and the real authentication endpoint, forwards every request, and steals the resulting authenticated session cookie.

The flow:

  1. User clicks your phishing link, which points at your AitM proxy.
  2. Your proxy fetches the real Microsoft 365 / Okta / Google login page and serves it to the user.
  3. User types their credentials. Your proxy captures them and forwards them upstream.
  4. The real service issues an MFA challenge. The user satisfies it (push, TOTP, SMS, whatever).
  5. The real service issues a session cookie. Your proxy captures the cookie, drops it into your storage, and lets the user proceed to the real app.
  6. You replay the session cookie from your own browser. The real service treats you as the user. MFA is not re-prompted because the session already proved it.

The tools that do this:

  • Evilginx2 — the reference implementation. Kuba Gretzky has been maintaining it since 2018.
  • Muraena — modular alternative.
  • Modlishka — older but still used.
  • EvilnoVNC — runs a headless browser inside the proxy so the captured “cookie” is a full browser session.

An Evilginx2 starter session:

sudo ./evilginx2
config domain yourdomain.com
config ipv4 <your_server_ip>
phishlets hostname o365 login.yourdomain.com
phishlets enable o365
lures create o365
lures get-url 0
Warning

AitM attacks against real users without authorization are illegal in most jurisdictions and unambiguously unethical. The only place this belongs is inside a properly scoped, signed engagement.

The defensive answer to AitM is phishing-resistant MFA — FIDO2/WebAuthn hardware keys, where the cryptographic challenge is bound to the legitimate origin. A FIDO2 key will simply refuse to authenticate to your AitM proxy because the origin is wrong. This is why “go buy YubiKeys” is in every modern hardening recommendation; nothing else actually solves the problem.

MFA fatigue
#

When you already have valid credentials (from a breach dump, a previous phishing campaign, or password spraying) and the target is on push-notification MFA, you can sometimes get in by being annoying. Trigger the push, get denied, trigger another, get denied, keep going. Eventually the target taps approve to make their phone stop buzzing.

This worked in the 2022 Uber breach (the attacker pushed for over an hour and then DM’d the contractor on WhatsApp pretending to be IT). It worked in the 2022 Cisco breach too. It’s also why most MFA providers have rolled out number matching — the user has to type a number from the login screen into the app, which makes accidental approval much harder.

The combined-with-vishing version is more effective than the raw push spam: “Hi, this is IT Security, we’re seeing repeated auth attempts on your account, someone’s trying to break in. To verify it’s you and lock them out, please approve the next prompt.” This is a clean exploit of the authority and urgency principles, with the social-engineering layer doing the work the technical push-spam couldn’t.

Vishing
#

Phone-based pretexting. Higher skill ceiling than email phishing because you’re improvising in real time, but the success rate when you’re good is significantly higher because phones are more trusted than email and the target has less time to think.

Caller ID
#

Spoofing caller ID is straightforward through VoIP providers — Twilio, Telnyx, Vonage all let you set the outbound caller ID, and dedicated services like SpoofCard wrap that in a simpler interface. Spoof to the corporate helpdesk number, the target’s bank’s main line, or the company’s published main number. Most people verify legitimacy by looking at the caller ID and stopping there.

Worth noting: the FCC’s STIR/SHAKEN framework is gradually making spoofing harder on US carriers. As of 2024, calls flagged as unverified are increasingly being labeled “Spam Likely” on the receiving phone. This is improving but it’s still trivial to evade in practice, especially through smaller VoIP providers.

The pretext call
#

A useful four-part structure:

Open with authority and a specific reason. “Hi, this is Mark from IT Security, extension 4521. We’ve flagged some unusual sign-in activity on your account in the last hour and I need to verify a few things with you to make sure we don’t lock you out.” The extension number is fabricated but it sounds real.

Build rapport. “I know this is a pain, sorry to bother you on a Friday.” Establish a common enemy: “These phishing attempts have been brutal this quarter, we’ve been chasing tail all week.”

Escalate the asks. Confirm employee ID. Confirm department. Confirm the last URL they logged into. Then the real ask: “I’m going to send you a verification code, can you read it back to me when it arrives?” or “I need you to log into this URL so I can check your session.”

Handle objections in stride. “I’m not comfortable with this.” → “Completely fair, I’d hesitate too. Here’s the helpdesk callback number, please call back to verify.” Then give them a spoofed number that rings to you. “Can I call you back?” → “Of course, my direct line is X, but please call back within ten minutes before the account auto-locks.”

Background audio
#

Real call centers are loud. A silent line during a vishing call reads as wrong before the target consciously notices why. Loop call-center audio at low volume through a virtual audio device. Keyboard typing helps too — humans use that as a strong signal of “actually doing work at a desk.” VoiceMeeter on Windows and BlackHole on macOS are the usual tools for routing this through your call client.

Smishing
#

SMS phishing. Higher open rates than email (north of 90%), much shorter formats that don’t give the user time to think, and the URL inspection on mobile browsers is poor enough that most users can’t see where a link actually points before they tap it.

Common templates:

  • “USPS: Your package is held at our facility. Reschedule delivery: [link]”
  • “Your Wells Fargo account has been temporarily locked. Verify: [link]”
  • “Your verification code is 482917. If you did not request this, secure your account: [link]”

The third one is especially insidious because it leverages a code the user actually did request from a real service (because you tried to log in as them), and the “secure your account” link goes to your AitM proxy.

Link shorteners (bit.ly, t.co) and your own redirector domains hide the real phishing host. Most smishing campaigns burn domains fast, so spend accordingly.

Physical social engineering
#

Getting into a building is, against most organizations, easier than getting through their firewall. Physical pen testing is a real specialty, and the techniques that work tend to be unglamorous.

Tailgating
#

Following an authorized person through a badge-controlled door, usually because they hold it for you. People hold doors. It is socially excruciating not to. Carry two coffee cups, or a box, or a stack of papers, and the probability that someone holds the door for you climbs above 90%.

Time the entry. Shift change, lunch return, smoker-break return, Monday morning — the door cycles fast enough that nobody notices an extra body. Avoid the empty-building moments when one person walking in with another is highly visible.

Vendor pretexts
#

A high-visibility vest, a clipboard, and confident body language render you administratively invisible. Common pretexts:

  • IT support — “I’m here to fix the printer on three.” Carry a toner cartridge.
  • Fire inspector — clipboard, vest, flashlight, slightly bored expression.
  • HVAC — work order printed on letterhead, toolbox.
  • Delivery — large box with a real-looking shipping label, ideally for an executive.

The pretext that works best in your specific target environment is the one that matches a vendor they actually use. OSINT again.

Badge cloning
#

RFID access badges using legacy 125 kHz formats (HID Prox, Indala, EM4100) have no cryptography. A Proxmark3 or Flipper Zero held within a few inches of a badge reads it; the same device writes the data to a blank card; you walk through the door. The reading range is short but not impossibly so — six to twelve inches is enough for an elevator brush-past.

Modern formats (HID iCLASS SE, SEOS, MIFARE DESFire EV2) use challenge-response cryptography and aren’t cloneable the same way. They’re not unbreakable — there have been research attacks against iCLASS — but they’re significantly harder. The interesting fact about most organizations is that they have a mix: the legacy readers are still installed on some doors because nobody finished the migration.

Baiting
#

Drop a USB drive in the parking lot, the cafeteria, or the lobby with a label that creates curiosity (“Q4 Bonus Allocation - Confidential,” “Severance Packages”) and wait for someone to plug it in. The payload is delivered through a USB HID gadget like the Rubber Ducky or Bash Bunny that emulates a keyboard and types out a PowerShell stager.

Baiting hit rates have declined since organizations started training people not to plug in unknown USBs, but they’re still nonzero, and the 2016 University of Illinois study found that ~45% of dropped drives were plugged in.

The Social Engineer Toolkit (SET)
#

Dave Kennedy’s SET is a Python framework that automates the mechanical parts of common social engineering attacks — credential-harvesting page cloning, infectious-media generation, PowerShell payload delivery, SMS spoofing through Twilio.

git clone https://github.com/trustedsec/social-engineer-toolkit.git
cd social-engineer-toolkit
pip install -r requirements.txt
python setoolkit

SET is most useful for the “I need a credential harvester page for an internal phishing test by Friday” version of the problem. For serious AitM work, Evilginx2 is the better tool. SET’s value is the breadth of integrations and the speed of getting something running.

Case studies worth knowing
#

The Twitter hack (July 2020)
#

Graham Ivan Clark, 17, from Tampa, and two associates (22 and 19) used vishing against Twitter support employees working remotely under COVID conditions. They impersonated IT staff, leveraged real employee names harvested from LinkedIn, and walked targets through a process that surrendered credentials to Twitter’s internal admin tooling. The end result was account takeover of Obama, Musk, Apple, Uber, and others, used for a Bitcoin scam that netted about $117,000 across 415 transfers.

The lesson most people took from this was about MFA and access controls, but the operational lesson is that vishing against a stressed, remote workforce with an unfamiliar IT process scales terrifyingly well.

The Uber breach (September 2022)
#

An attacker affiliated with Lapsus$ (handle “teapotuberhacker,” reportedly 18) obtained valid credentials for an Uber EXT contractor, likely from a malware infostealer log sold on the dark web, then used MFA fatigue. Push notifications fired for over an hour. When that didn’t work, the attacker pivoted to WhatsApp, contacted the contractor directly posing as Uber IT, and asked them to approve the next push. They did. After the session, lateral movement turned up a PowerShell script on an internal share with hardcoded admin credentials for Uber’s Thycotic PAM vault. Compromising the vault — the load-bearing link in the chain — yielded secrets for AWS, Google Workspace, vSphere, Duo, OneLogin, Slack, and SentinelOne.

This is the canonical MFA-fatigue-plus-vishing case study. Number matching on MFA prompts is the direct mitigation against the fatigue half; centralized secrets in a PAM vault without sufficient access controls around the vault itself is the other lesson. Phishing-resistant MFA on the contractor account, plus least-privilege on the PAM admin, would have stopped the chain.

The RSA breach (March 2011)
#

Two small groups inside RSA received spear-phishing emails with the subject “2011 Recruitment Plan” and an Excel attachment. The Excel file embedded a Flash zero-day (CVE-2011-0609). At least one recipient pulled the email out of their spam folder and opened it. The attackers exfiltrated SecurID seed data, which they then used in subsequent attacks against US defense contractors, most prominently Lockheed Martin.

The lesson at the time was about zero-day risk. The lesson in retrospect is about the cascading impact of a breach at a security vendor — RSA’s compromise enabled compromises elsewhere because their product depended on a shared secret.

Reporting
#

Social engineering findings are politically sensitive in ways that technical findings aren’t. A report that says “Janet in accounting clicked the phishing link” creates a Janet problem rather than a security-program problem, and Janet will not be the person who fixes anything.

A few rules I try to keep:

  • Do not name individual employees. Roles and departments are fine. “Three of seven Finance staff clicked the link; one entered credentials” is the right granularity.
  • Report rates as percentages with the denominator. “23% of 87 recipients clicked” is informative; “23% clicked” without context lets the reader fill in their own assumptions.
  • Recommend systemic improvements. Training is part of the answer but rarely the whole answer; process and tooling changes (DMARC enforcement, phishing-resistant MFA, helpdesk callback verification policy) are usually more important.
  • Acknowledge what the organization is doing well. If 80% of recipients didn’t click, that 80% is also data.

Ethics
#

The org consents to the engagement. Individual employees do not consent to being targeted, which is the ethically uncomfortable part of this work. A few standards worth keeping:

  • The pretext should be realistic but not personally distressing. Avoid pretexts that involve a family member’s death, a serious illness, or anything legally compelled.
  • Avoid pretexts that put the target in a position of having committed misconduct (“HR has flagged your timesheet for fraud, please call back immediately”). The psychological cost on the target if it works is meaningful and unnecessary.
  • Debrief campaigns when feasible. If employees will be debriefed at all-hands, do it with empathy and emphasize systemic findings rather than individual failure.
  • Know the law in your jurisdiction. Caller-ID spoofing is regulated in the US under the Truth in Caller ID Act; email spoofing for fraud is illegal under CAN-SPAM; unauthorized access is a federal felony under CFAA. The scope letter is what protects you.

Defenses
#

The defensive answers in roughly descending order of cost-effectiveness:

  • Phishing-resistant MFA. FIDO2/WebAuthn hardware keys for any account that matters. This is the single highest-value control against AitM phishing and credential theft. Push notifications and SMS codes are not phishing-resistant.
  • DMARC with p=reject. Stops domain spoofing. Most organizations are still on p=none because they’re afraid of breaking something, and the something they’re afraid of breaking is almost always third-party mail services they haven’t authorized properly in SPF and DKIM.
  • Number matching on push MFA. Mitigates MFA fatigue. Microsoft Authenticator, Duo, Okta all support this now.
  • Helpdesk callback verification. Any sensitive request (password reset, MFA reset, access change) requires the helpdesk to call back through a known number, not the number the requestor provided.
  • Phishing reporting button in the email client. Low friction reporting matters. If reporting takes three clicks, people won’t do it.
  • Regular phishing simulations. Useful as awareness reinforcement; not useful as a metric to grade individuals on.
  • Physical access controls. Anti-tailgating turnstiles or mantrap doors at the perimeter; modern badge formats (DESFire, iCLASS SE/SEOS) on doors that matter.

Security awareness training is on this list but lower than it usually appears. It helps; it does not save you from a competent spear-phishing attempt against a stressed user, and “the user should have known better” is rarely a productive postmortem finding.

Closing
#

Most of the social engineering attacks that have mattered in the last decade have been more about doing the homework than about clever theatrics. The Twitter compromise worked because the attackers knew the names of the right Twitter staff. The Uber compromise worked because the attacker followed up the push spam with a believable WhatsApp message. RSA worked because the attacker knew which mailing list inside RSA was the easiest target. Cialdini’s principles are useful, but they’re the layer on top of “did you actually understand who you’re calling and why your call should make sense to them.”

The other thing worth saying is that the employees on the receiving end of all of this are not the enemy. They’re operating inside a system that asks them to make security judgment calls dozens of times a day with no training and no time. When the system fails them, the right answer is to fix the system. The point of the engagement, in the report, is to demonstrate exactly where that system fails — not to embarrass the person who was on the wrong end of it that morning.

References
#

UncleSp1d3r
Author
UncleSp1d3r
As a computer security professional, I’m passionate about building secure systems and exploring new technologies to enhance threat detection and response capabilities. My experience with Rails development has enabled me to create efficient and scalable web applications. At the same time, my passion for learning Rust has allowed me to develop more secure and high-performance software. I’m also interested in Nim and love creating custom security tools.