Skip to main content
GeneralPentesting

The Social Engineering Code of Ethics

By December 14, 2022No Comments

Imagine you receive an email from your boss saying that there’s a new promotion at work. All you must do is log into the secure portal provided, do a 5-question survey, and you’ll get a $200 bonus that month. “Wow”, you think. “This is just what I needed to cover my unexpected medical expenses! What a relief!” You sign in and immediately get notified that you’ve fallen for a phishing test. How do you feel? You’re likely defeated, upset, and maybe even angry. “That wasn’t fair!” you think.

What do you, the reader, think? Was it a fair test?

Some might say yes. Attackers don’t care about your medical expenses, why should that angle not be tested? Others say no, we aren’t real attackers, so we shouldn’t test employees in that way. What’s the right answer?

A Christmas Bonus

Over the pandemic, one company performed a phishing test much like the one in our intro. They tested employees by saying that they had had a great year at their company and were giving $650 Christmas bonuses to all employees who filled out a form. Nearly 500 employees fell for it. Those employees went public with complaints that it was an insensitive and tone-deaf test. This led to the company publicly apologizing. That test clearly did not leave employees with positive training points.

Clearly, the test could have been conducted in a more ethical manner. How so? The company could have instead said they were going to do a Christmas raffle. Something along the lines of “If you fill out the attached form, you will be entered to win a $15 iTunes gift card.” With just a few changes, this test would have left employees without the sense of loss they surely felt from the initial test.

Leave Them Feeling Better for Having Met You

Here at Social-Engineer, LLC, our core motto is “Leave them feeling better for having met you”. Is that possible if we’re preying on someone’s base need to provide for themselves and their family? No. The same goes for leveraging other intense emotions, such as fear. There’s no good training point if we threaten to fire someone. Our goal is not just to get a “win” for ourselves, but to leave a moment that your employees can learn from. Because of this, Christopher Hadnagy created a Code of Ethics for social engineering that we follow at our company. The Social Engineering Code of Ethics accomplishes these three important goals:

  • Promotes professionalism in the industry.
  • Establishes ethics and policies that dictate how to be a professional SE.
  • Provides guidance on how to conduct a social engineering business.

Why Is It Important?

Why is a code of ethics for social engineering, and more specifically, phishing and vishing, important? Because even though we are paid to mimic the bad guys, we aren’t the bad guys. Our goals are not the same. We aren’t trying to get a win at any cost, or we shouldn’t be. Additionally, we need to keep in mind what our goals should be; to train employees and better secure companies to guard against malicious attackers. We can’t do that if we mimic the malicious attackers in every way. Why not?

Picture launching an attack like the one we opened with. What do you think the employee will remember about that “training” experience? Likely, it will be the negative emotions felt, not how to remain safe in the future. This is exactly what we, as professional social engineers, want to avoid. Rather, we want to leave them with solid, teachable moments. We want them to be able to focus on identifying the signs of a threat, rather than being sidetracked by the negative emotions we’ve created.

Remain the Good Guys

It’s true that training in this way, with a focus on influencing positive emotions, is not always easy. Negative pretexts are often much easier to create. But we think it’s well worth the effort. Introducing ethics into social engineering ensures that we impersonate the bad guys but remain the good guys. At Social-Engineer, we pride ourselves on what we do and how we do it. It’s what makes us different. We provide education and awareness to your employees, all while leaving them feeling better for having met us.

For a detailed list of our services and how we can help you achieve your cybersecurity goals please visit:

https://www.www.social-engineer.com/Managed-Services/.

Images:
https://associationsnow.com/wp-content/uploads/2021/11/GettyImages-1323080024.jpg
https://images.livemint.com/img/2022/01/02/689×388/iStock-1169096513_1641132180580_1641132236063.jpg

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now