The Social Engineering Framework

The Social Engineering Framework is a searchable information resource for people wishing to learn more about the psychological, physical and historical aspects of social engineering. Please use the index below to find a topic that interests you.

Framework Sections

Section Articles

Identity Thieves

Identity theft is the use of information such as a person’s name, bank account number, birth date or social security number without the individual’s knowledge. This can range from putting on a uniform to impersonate someone, or even an elaborate scam involving DNS poisoning, as well as phishing scams.


Gartner research firm, estimates that 57 million U.S. adults received a “phishing” attack e-mail within the past year. More than half of those that responded were victims of identity theft. This scam is carried out by sending legitimate e-mails to unsuspecting individuals. The e-mails are designed to make the recipient believe that they are from an institute they trust, such as their banking institutions or any other company that may require you to provide personal information for authentication. As the unsuspecting person hands over this information they have opened up themselves or their businesses to attack. Even seemingly benign information can lead to something severe. Divulging even personal information can lead to an attacker launching an attack, as shown in the story about AOL mentioned in our framework .

Dumpster Diving

Another commonly used method to gather information about someones identity is by dumpster diving. Individuals and businesses throw away lots of sensitive information containing addresses, phone numbers, credit card receipts, and even social security numbers. This information can be used to build the identity that the thief wants. The identity thief can also find birthday cards, addresses of family members and of businesses that are used by the individual to gain a foothold into their identity. If the identity thief finds that someone one is using a cleaning service frequently and paying them for services, this could be used as a way into the organization. Using this information the identity thief could pose as a janitor and use that as a way into an organization to either carry out the attack or gain even more valuable information from bins used for shredding or even find an unlocked terminal of someone that has gone home for the evening.

Here is an example of dumpster diving.  Workers become complacent and do not think about what they are throwing away. Receipts with signatures, copies of invoices, order forms, and other items are swept into the trash as workers hurry out of the office on a Friday night or just before a holiday. Another rarely thought of items is anything placed underneath signatures. When consumers sign receipts there is often a note pad or a desktop calendar that is thrown out at the end of the month. With a persons address, phone number, account number, and their signature, the theft is mostly completed. Most homes are easy targets as well. Many people get pre-approved credit cards and these simply get thrown away and can be used, along with other information, to open fraudulent accounts.


Another method used by identity thieves is called skimming. Skimming is an example of a low tech technique used to scan or swipe your credit or bank card and get the information off the magnetic strip. This scam is fairly easy to carry out in restaurants or any place that you give someone your card and they walk out of sight to run the charges. The thief runs the card through a hand held scanner and is then able to capture the card information off it and use it at another time to run up charges on the account. The Center for Identity Management and Information Protection says that mail theft, dumpster diving, stolen wallets, and other low-tech or no-tech methods are used far more often, with only 10 percent of scammers using the Internet exclusively.


Another method used with Identity theft is Pharming. These scams use basically two methods, in the first the attacker modifies the computers hosts file and uses links in e-mails that look like they send you to a legitimate site for a financial institution. The web site is actually correct but you have made their system go to a fraudulent IP for that URL. The second attack exploits vulnerabilities in DNS servers that redirect victim’s to the fake websites. The erroneous site enables the attacker to collect user-names, password, account information, and anything else that is entered in the web site. The Drive-by Pharming attack is a fairly sophisticated attack that involves modifying the configuration of the external router as apposed to the computer’s local host file or the DNS server. Again it is the same principle but the thief is modifying the settings for an entire network rather than just a single host.

Tombstone Theft

A less thought of attack that can really be vicious is Tombstone Theft. Tombstone Theft involves stealing someone’s identity that has passed away. The thief can assume this individuals identity and likely get away with the deceit for some time. Because of someones death people often forget about notifying banks and other credit card companies right away after their loved ones death. As far as the financial companies know, the individual is alive and using their cards or accounts as normal. The thief typical gets this information through funeral home notices or obituaries. Funeral homes can be careless in their handling of personal information about their customers and information can be gained form newspaper obituaries. An example of this crime can be found in Atlanta Georgia. Personal identity information of some 80 people were sold for $600 US a piece. That information was used to secure over $1.5 million in loans.

How Identities Are Stolen

There are six key ways identity theft occurs and these are all discussed in depth in our framework:

  1. Dumpster Diving: Rummaging through your trash or your company’s trash an identity thief can find enough information about you to launch an attack. [Dumpster Diving section in wiki]
  2. Skimming: This is where an attacker uses a special device to store your personal information when you buy something from a store. This is the type of attack that was used against TJ MAx.
  3. Phishing: Pretending to be a financial institution or company a malicious email is sent trying to encourage you to visit a very realistic looking site and entering your personal info.
  4. Changing Your Address: It has been done where an identity thief can divert your bills after they order high ticket items, to another location simply by filling out a “change of address” form.
  5. Stealing: Still viable, but an identity thief who steals a purse or wallet can take the theft further by now taking your identity.
  6. Pretexting: Use false pretenses, they obtain personal information from you that can lead to your identity being used falsely.


An example of ID Theft

Famous Identity Thieves

Frank Abagnale

One recent popular example of identity theft is shown in the movie “Catch Me if you Can” this was based on a real life impersonations of Frank Abagnale. Frank impersonated being a doctor, lawyer, prison inspector, maybe most famously an air line pilot. His airline scams alone cost Pan AM Airlines untold sums as Frank flew over 1 million miles to over 26 countries and stayed at various hotels along his way. Another more popular example of Franks scams was in the form of fraudulent checks. Frank used impersonation, pretexting, and other techniques to carry out some extraordinary scams.

In the example above Frank used a pilot’s uniform and some prior knowledge of airports to carry out this scam. Another trick that he used is pretexting. In other words you use a position of authority to get things that you need or pretending that you are in real need of something of importance or urgent. Impersonation is used in the same way. Through observation,  and using the jargon, the attire, or uniform, and some general knowledge to impersonate someone a thief can steal a person’s identity in the literal sense of the word. An identity thief can take a picture of an ID card and print it out and paste their own picture on “Tom Smiths” access badge and now the thief has become “Tom” The thief can dye his hair or put in false teeth to disguise himself as the individual he is trying to impersonate.

Protecting Yourself

Unfortunately there is no 100% sure fire way to protect yourself from this type of attack. Mainly it is being observant. Looking at bills as they come in, be aware of your personal information coming in and out and be quick to uncover anything that seems not right. If you feel you have been a victim do not wait, do the needed research to confirm and then file a police report. Then close your accounts and change numbers for the items that might be compromised.

Looking at bills as they come in, be aware of your personal information coming in and out and be quick to uncover anything that seems not right. You can also protect yourself by looking into identity theft protection from Life Lock or another highly regarded identity theft service to ensure the highest security of your personal information.