Skip to main content
SE

It Is Important To Have Ethics In Social Engineering

By August 7, 2018No Comments

Over the years of being a professional social engineer (SE), I have been asked questions like, “Are you really testing your clients if you don’t use EVERY method possible?” Or, “You are acting like the bad guys, why do you need to have rules?” And even, “I don’t need to leave them feeling better if I am trying to breach, do I?” It is time to discuss these questions, why ethics in social engineering is so important, and crafting a social engineering code of ethics. How can you maintain a code of ethics and promote professionalism? How can you avoid letting the excitement and adrenaline that comes with hacking alter your ego and make you step out of those bounds?

    Social Engineering Code of Ethics

Ethics – what are you talking about?

For anyone who has been to Social-Engineer, LLC’s training, they know that we have a motto, “Leave them feeling better for having met you.” This motto was not always part of our lifestyle in SE. There was a time in my life and career where winning was more important than the client’s feelings. That statement alone makes me cringe, but it is true. I needed to win, to feel good, and it was easy to do so. I would manipulate, trick, deceive anyone, and the resulting feeling wasn’t my concern.

Then, one day, something very negative happened, and I lost a client. It made me sit back and think about my methods. I realized that I was using anger, fear, and extreme versions of emotions to social engineer my clients. I started to challenge myself to perform the same attacks but to try and leave targets feeling better for having met me and guess what I found?

IT WAS HARD!! Not only was it hard, but I had to think harder and work more to get the same results. The result for the client was that they enjoyed their experience and their staff had more teachable moments. That experience started my quest to come up with a social engineering code of ethics for our company that we could apply to all social engineering practices.

Developing this ethical framework for a field that gets paid to hack humans via physical presence, phone and email was not easy. But from that is where “Leave them feeling better for having met you” came about. If you have been to one of our classes, you also know we send you out on homework each night. The lessons learned in improving and developing communication skills as well as getting information from strangers is invaluable. I wanted to see how we can apply these to our student engagements to help them grow as social engineers and people. This meant coming up with a list of tasks and rules to keep them from not creating fear, committing fraud, or breaking our social engineering code of ethics or the ethical code of a conference where we are training.

Would ethics ruin your social engineering?

Ok, so it is true that any hacker loves the feeling of the hack, but should that reduce the use of a code of ethics? And, what’s maybe even more important, would a social engineering code of ethics reduce the feelings that come from successful hacking. The very chemicals we are trying to release in the brains of our targets to elicit an action (dopamine and oxytocin) are also released in our brains when we feel validated and trusted. Those feelings can be addictive and make us want to take the risks of any action to win.

Telling people to take the longer and harder route to achieve the same results is not easy. The “hardcore” methods appear to be more fun and exciting, but when you take the professional road you will achieve the same results. Additionally, you will create an environment where the positive brain chemicals are released, while not harming other folks.

Why is this so important?

When I started off in this field there were very few professionals focusing on social engineering specifically. Now, 10 years later, it seems like everyone is hanging the “SE” shingle out. This is good. We need more people in this field as there is so much need. However, with more people entering the industry, there is a need to create ethics and policies that dictate how to be a professional SE, and how to conduct a social engineering business.

Social-Engineer, LLC will be working on a formal social engineering Code of Ethics, and we will add it to the framework in the coming weeks.

Stay safe, stay ethical, and leave people feeling better for having met you.

Chris Hadnagy
Chief Executive Officer (CEO)
Social-Engineer, LLC

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now