Skip to main content

Code of Ethics for Vishing & Phishing

By August 11, 2021No Comments

When you Google search “social engineering definition,” one of the first results is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.”  Many of you know that, here at Social-Engineer LLC and at many other companies that utilize social engineering, this is not how we define it. A more fitting definition for us is “Any act that influences a person to take an action that may or may not be in their best interest.” However, this definition didn’t come about overnight. It took trial and error, and a deliberate application of ethics, to bring about both this definition and a code of ethics for vishing and phishing.

Why is a Code of Ethics Important?

Some people wonder if a code of ethics is necessary for social engineering engagements such as phishing, vishing, or impersonation. After all, our clients are hiring us to mimic the bad guys. The bad guys won’t hesitate to use social engineering tactics in the most malicious of ways, so why should we? The answer is straightforward: we aren’t the bad guys. So, what makes us different from the real bad guys? It mainly comes down to ethics and our application of them.

If we don’t set clear lines for ourselves, we run the risk of becoming too focused on the win. We may resort to using manipulation or intense fear or greed in order to obtain our goal. We could rationalize that the ends justify the means. In other words, we may reason that getting the employee’s password will help demonstrate to the client why they should hire us; in effect helping their entire company eventually becoming more secure!

Imagine

Imagine that we use fear to achieve our goal. For instance, maybe we told the employee they would be fired if they didn’t provide their password. We have no way of knowing what is going on in that employee’s personal life. Is it possible that they have a child at home who is sick, who they must provide for? Maybe this job is their only way of doing so. If we threaten to fire that individual, who knows how much harm we could be doing? Is it worth it? We say “NO.” There must be a way to reach our goal without harming the very people we are trying to protect along the way.

Training

If we rely on tactics such as fear, greed, or sexual themes, what are we training our clients to do? To not be vulnerable to these things? Impossible. When it comes down to it, the employee in our example would do anything necessary to provide for their sick child. Using fear would only reinforce their protectiveness, not train them how to safeguard against potential malicious scams. Employing ethics ensures that we include a real teachable moment for the tested employees. If our mindset is to just be “in it for the win,” it’s likely that education will take a back seat. No employee is going to walk away with a positive and clear understanding of what they can be on the lookout for, and do better next time, if we rely on negative tactics.

Leave Them Feeling Better for Having Met You

code of ethics for vishing and phishing image 2Chris Hadnagy, CEO of Social-Engineer-LLC, designed the social engineering Code of Ethics. You can read more about how he realized a code of ethics was needed, here. This code accomplishes three important goals:

  • Promotes professionalism in the industry;
  • Establishes ethics and policies that dictate how to be a social engineer; and
  • Provides guidance on how to conduct a social engineering business.

Even further than that, it works along with the Social-Engineer, LLC motto: “Leave them feeling better for having met you.” While it’s true that we could more easily achieve our phishing, vishing, and impersonation goals using manipulative tactics, the dangers far outweigh the benefits. Further, sticking to this code will help you grow as a social engineer, as it forces you to think outside the box. Think like the bad guys, but most importantly, act like the good guys.

Sources
http://www.www.social-engineer.com/services/vishing-service/
http://www.www.social-engineer.com/services/se-phishing-service/
http://www.www.social-engineer.com/services/social-engineering-teaming-service/
https://whatiscodependency.com/spot-manipulation/
http://www.www.social-engineer.com/it-is-important-to-have-ethics-in-social-engineering/
https://www.social-engineer.org/framework/general-discussion/social-engineering-code-of-ethics/

Images
https://img.money.com/2016/09/160929_em_marketingpoliticsmanipulation1.jpg?quality=85
https://img.rasset.ie/0013f294-500.jpg

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now