When you Google search “social engineering definition,” one of the first results is “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.” Many of you know that, here at Social-Engineer LLC and at many other companies that utilize social engineering, this is not how we define it. A more fitting definition for us is “Any act that influences a person to take an action that may or may not be in their best interest.” However, this definition didn’t come about overnight. It took trial and error, and a deliberate application of ethics, to bring about both this definition and a code of ethics for vishing and phishing.
Why is a Code of Ethics Important?
Some people wonder if a code of ethics is necessary for social engineering engagements such as phishing, vishing, or impersonation. After all, our clients are hiring us to mimic the bad guys. The bad guys won’t hesitate to use social engineering tactics in the most malicious of ways, so why should we? The answer is straightforward: we aren’t the bad guys. So, what makes us different from the real bad guys? It mainly comes down to ethics and our application of them.
If we don’t set clear lines for ourselves, we run the risk of becoming too focused on the win. We may resort to using manipulation or intense fear or greed in order to obtain our goal. We could rationalize that the ends justify the means. In other words, we may reason that getting the employee’s password will help demonstrate to the client why they should hire us; in effect helping their entire company eventually becoming more secure!
Imagine that we use fear to achieve our goal. For instance, maybe we told the employee they would be fired if they didn’t provide their password. We have no way of knowing what is going on in that employee’s personal life. Is it possible that they have a child at home who is sick, who they must provide for? Maybe this job is their only way of doing so. If we threaten to fire that individual, who knows how much harm we could be doing? Is it worth it? We say “NO.” There must be a way to reach our goal without harming the very people we are trying to protect along the way.
If we rely on tactics such as fear, greed, or sexual themes, what are we training our clients to do? To not be vulnerable to these things? Impossible. When it comes down to it, the employee in our example would do anything necessary to provide for their sick child. Using fear would only reinforce their protectiveness, not train them how to safeguard against potential malicious scams. Employing ethics ensures that we include a real teachable moment for the tested employees. If our mindset is to just be “in it for the win,” it’s likely that education will take a back seat. No employee is going to walk away with a positive and clear understanding of what they can be on the lookout for, and do better next time, if we rely on negative tactics.
Leave Them Feeling Better for Having Met You
Chris Hadnagy, CEO of Social-Engineer-LLC, designed the social engineering Code of Ethics. You can read more about how he realized a code of ethics was needed, here. This code accomplishes three important goals:
- Promotes professionalism in the industry;
- Establishes ethics and policies that dictate how to be a social engineer; and
- Provides guidance on how to conduct a social engineering business.
Even further than that, it works along with the Social-Engineer, LLC motto: “Leave them feeling better for having met you.” While it’s true that we could more easily achieve our phishing, vishing, and impersonation goals using manipulative tactics, the dangers far outweigh the benefits. Further, sticking to this code will help you grow as a social engineer, as it forces you to think outside the box. Think like the bad guys, but most importantly, act like the good guys.