Social Engineer Your Life: Vishing, Phishing, and Impersonation Advice for Daily Use
Social engineering is an act that influences a person to take an action that may or may not be in their best interest. The question can then be asked, how do we determine what is, or is not, in someone else’s best interest? In my day-to-day job, I am a social engineer. I originally tip-toed into social engineering by competing in Social-Engineer’s Capture-the-Flag competition before I was hired. We, as a company, and I, as a person, commit to leaving people better for having met us. We social engineer our clients because they ask us to, to help strengthen their security posture. The end-goal of our corporate social engineering is benevolent, but this often requires regular deceit. From a work standpoint, this is absolutely for the greater good; we are teaching employees through experiences and education how to behave to protect themselves, their company, its information, and its network from potentially malicious actors. However, how do we gauge the ethics of using social engineering outside of a work environment?
Without consciously knowing it, I have recently caught myself employing work-level social engineering skills in my everyday life. I’ve noticed I use vishing, phishing, and impersonation strategies as a habit. Is this terrifying? Or am I evolving? While I have no idea how my husband feels about these new and regular uses of my job, I think it’s the latter. Here are some tangible examples in each of three social engineering tactics.
Vishing, or the act of eliciting actions or information over the phone
Over the holidays, I had ordered a gift for my husband. Said gift comes in very identifiable packaging, so I paid a premium to schedule its delivery at a time my husband would not be home. The delivery window came and went, and no package arrived. Two days later, well in time for the holiday, the package was delivered. No real harm, my husband didn’t see it, and life continued on. However, I did pay $25 for this premium shipping, so I called customer service for a refund of the shipping only – I don’t want to make a big stink, but I didn’t receive the service I paid for.
If I’m honest with myself, before working for Social-Engineer, I may not have even called regarding the $25. My phone manners are great, but calls seemed like a hassle. I didn’t want to fight with someone over something small, but after working to illicit information from hundreds of targets over my employment, with attitudes ranging from hostile to happy, attempting to get my $25 didn’t seem so bad.
Once the customer service representative was on the line, I painted who I was (which was truthful – I didn’t want my alter-ego to receive my refund, obviously). Before the call, I had outlined the persona I was going for (which I’d like to think is close to my actual personality). First, I wanted to appear understanding the holiday season is busy, and working as a customer service rep is likely extremely stressful right now. Here, I am employing empathy, as I would in an actual engagement. Next, I was firm in that I will not settle for less than my $25 refund. This is what I’m viewing as my flag, and anything less is my being shut down by the target. Finally, I worked to convey that I’m just a wife trying to make our first Christmas special, so I am giving the representative an emotional reason to be engaged with my mission. I had written this persona down, and practiced the narrative in my head, just as I would do with a vishing engagement.
Ultimately, the customer service representative was so thrilled I was a nice person trying to do nice things, and not ripping into them with a ferocity fueled by holiday angst, that he gave me a gift card to use in addition to my $25. At the end of this engagement, the representative felt good, I felt great, and everyone was better off.
Impersonation, or the act of pretending to be someone you are not
Humans impersonate, it’s what we do. Children mimic their parents, they mimic each other, impersonation is a huge component of human growth. However, as young society chastises copy-cats, and we grow into more complex individuals, impersonation is not often consciously practiced. I want to be very clear, the following advice is not my advocating for readers to go out and completely falsify who they are – I am a deep believer that the best narratives and personas are built off of parts of who you actually are, but I also believe in psychology and statistics, and it is a fact that physical queues cause people to respond in certain ways. Impersonation strategies can be extremely helpful when you have a job interview.
When dressing to get your dream job, you’ll want smooth, tailored lines, and an outfit that doesn’t require adjustments. Picking at your clothes will make you appear self-conscious and lack confidence. Additionally, practicing the weight of your handshake is important. Too strong, and you seem aggressive, too weak, and you seem timid and lacking social skills. There are other indicators of how you will be perceived, such as hair color, which can be easily changed. According to a psychological experiment, red heads are seen to be competent, though can sometimes be viewed as uncongenial, and blonde women receive more tips as waitresses, more donations when fundraising door-to-door, and more offers of rides from men while hitchhiking than their brunette, black, and red-headed counterparts.
I am tall, I am outspoken, I am opinionated, and I am a woman. In a job, these traits can be exceptional assets, but in a brief interview where you have a finite amount of time to prove yourself, it is important, to me, that these traits not be misconstrued. When I interviewed for my current job, it was conducted remotely. I couldn’t use my handshake to convey anything, or the lower 50% of my body. My stature wasn’t working for, or against, me. However, I knew I would be speaking quickly, and often academically. I picked a tailored outfit, a sleek black turtleneck and a sparkly necklace. I had my hair loose, to appear fun and frame my face. I also wore glasses.
Glasses are an important psychological tool. They are statistically recognized to make the wearer appear more honest, trustworthy, and intelligent. In some cases, they can also make you appear more threatening, particularly for white men on trial for white collar crimes. Honest, trustworthy, and intelligent are three traits I view as necessary for a social engineer doing benevolent work in a corporate setting. So, I wore glasses. It should be noted that I have since actually gotten a medically prescribed set of glasses, and when I wear them to team meetings it is 100% to help my actual eyes, but at the time of my interview I did not have glasses. I made a calculated decision to wear a set to convey a certain vibe over a video conference.
What is the line between practicing socially helpful queues and not being fully genuine? This is a question for another day that I’m happy to debate until we are blue-in-the-face, and I don’t know that we will get to a binary answer. What I do know is that how you present yourself to the world has tangible outcomes, can build or break future relationships, and land yourself a dream job.
Phishing, or the act of sending an email meant to illicit a specific action, usually sent fraudulently
The key to writing a good phish is to embed an emotional trigger, do so within an urgent time constraint, and keep the messaging brief and to-the-point. In the case of phish, these messages are usually backed by malicious intent, and sent from a false email address. If you are utilizing phish-like skills to positively impact your life, I would caution against spoofing an email address to achieve your goals, but to each their own. The premise of how to write good phish is also how to achieve your own goals via email. Be sure you give the recipient an emotional trigger that causes or inspires them to act in the manner you desire; want to be selected for that promotion? Tell them succinctly WHY it is a benefit to them that YOU are the selection. Assume the person you are writing to is extremely busy, and do them the favor of choosing precise words that quickly convey your points. Combine these strategies with setting a time restraint, even something such as ending with, “looking forward to hearing back this week,” can help motivate the recipient to acknowledge you. Phishing emails work for a reason; if you are emailing a request for a desired outcome, write like you’re phishing for your answer, and, if you’re good at your job, you’ll leave yourself and everyone else better for having met you!
Social engineering is a powerful tool, and can be mutually beneficial to yourself and the target when wielded wisely. It should be noted that the opinion of what is good or bad for someone else will always be a subjective one. The primary key to properly handling our social engineering skills is to be empathetic, and really consider where the other individual is coming from. Truly putting in the effort to look out for that person’s best interest is imperative to leaving them better off after your engagement. Where my customer service representative was concerned, I gave feedback on how supportive he was to his employer, and our interaction was positive and left him feeling good during a chaotic time. Where using impersonation in interviews and phishing to achieve your goals are concerned, don’t set yourself up for failure. Know yourself. Know what you can bring. Know what you can reasonably accomplish. Making a great interview or email impression only helps get your foot through the door; you still have to follow through and prove that both you, and the organization, will be better for having met you.
Written By: Cat Murdock