Talk:Social engineering (security)/Archive 1

Cryptographic attacks
Is the category:Cryptographic attacks really suitable for this? --Easyas12c 09:43, 25 Jun 2005 (UTC)


 * I don't think so. I made the translation to the spanish version and labeled it Categoría:Seguridad informática. I think it should be changed to "Computer security" instead, although it's applicable to every security facility, just as said above. --Endo/spanish Wikipedia
 * Endo 22:58, 18 August 2005 (UTC)

Scope?
Social engineering is also used for non-computing, its limitless in its boundries. Many a stalker or sociopath has used social engineering to get into the life of their victims to create a similar lifestyle from which to "be" the victim. —Preceding unsigned comment added by 142.166.146.178 (talk • contribs) 22:28, 15 May 2006 (UTC)
 * Yes, social engineering is definitely more than a computer security issue. (I've done it offline on several occasions — we all have at one time or another.) Perhaps this should be moved to Social engineering (psychology) or some-such. æle ✆ 2006-05-24t23:51z

Close Ties to Con Artistry
Social Engineering does have close ties with conning people out of, say, money. Rather, it's for information. Getting something for nothing or very little is a big part of social engineering similar with cons.

Also, here is another thing to concider... A person who has interests in something, can obtain parts of that information from one induvidual, and another, and another, then put the peices into perspective, while confirming with others, the big picture can be formed, when the single induviduals might find it trivial amounts of data.

Just my two cents. (Unsigned) — Preceding unsigned comment added by 66.214.88.237 (talk) 17:44, 7 July 2006 (UTC)


 * You're certainly right, however the term "Social Engineering" at least in the last 10 years or so, has more been linked with computer fraud, hacking and various technioques used for information gathering. What you DO with the information (theft, fraud, whatever) does not matter or really even apply to the term - it's just the collection of techniques used to get the information. 24.126.126.105 04:20, 27 September 2006 (UTC)


 * Guys, guys! Social engineering is a term much older than 10 years and much much different and broader than hacking or anything related to computers. It is a concept in the field of politology and sociology and refers to "initiating/making a deliberate transformation in society". In this sense what Hitler did with the German people before WWII is a perfect example. But Social Engineering doesn't have only negative meaning. I kind of represent an organization, whose name is Alliance for Social Engineering and the mission of it is to initiate positive and desired transformations in the society.


 * Andrey, Bulgaria —The preceding unsigned comment was added by 213.91.242.67 (talk • contribs).


 * Yes, that's called Social engineering (political science), and is not this article. McKay 19:52, 19 December 2006 (UTC)

Pretexting
Speaking of websites, there is also one out there about pretexting which lists a lot of people did it, but I can't find it via google.

Does anyone know the site I'm talking about, and the URL? Sue Rangell 19:59, 12 March 2007 (UTC)

Pretexting is pretty common in many industries and being that fame impacts an individual's effectiveness, it's unlikely that anyone good at it would tout their ability. Fourteen year old boys with a lot of testosterone, poor social skills, palid skin and lots of black clothing are typically quick to claim themselves as "the best." Getting poor suckers through a Motel 6 auto attendant to believe you're the front desk & give you a credit card number is truly beginner's stuff. Don't you believe it - the best you will rarely hear of, if at all. 76.80.8.65 07:05, 13 March 2007 (UTC)

Personalities
Social engineering is used primarily, but not exclusivly, in a hacker context. It would be a good idea maybe to include a section of famous social engineers, ie. Mitnik, Archangel, Desperado, and Frank Abagnale...Chahax 21:06, 7 March 2007 (UTC)

Quick question regarding Archangel. His nickname was "The Greatest Social Engineer of all Time", and I'm having some trouble expressing that. I can remember him being called that on the radio and a lot in the newsgroups. I know the guy used to have a website, but I can't find it to cite it. Anyway, I keep changing the text attempting to satisfy, but I'm not having much success. Would it help if I simply spelled out that it was a NICKNAME, that I'm not trying to say he was ACTUALLY the greatest social engineer of all time?
 * Would it help? Yes, because saying that he is the greatest social engineer would be very hard to WP:VERIFY (see WP:PEACOCK). But in order for the nickname to remain, we're going to need a verifiable source. McKay 13:29, 12 March 2007 (UTC)

Whoa, somebody deleted the whole thing!...it's one thing to debate about the nickname, it's another thing to wipe out the entire entry. Chahax expressed that it was a nickname and provided a reference, that should be good enough for anyone, and is certainly more documentation than is given in other questionable parts of the article. Paste a "citation needed" tag if you feel that way, but you can't delete the entire entry, thats vandalism. I'm replacing the entry. If it is removed again I'll take this up the ladder. Vandalism and edit wars won't be tolorated! Sue Rangell 18:55, 12 March 2007 (UTC)

Thanx for reverting it. I never could stand Archangel either but deleting the entire section was a little overboard, afterall I did find very good verification of the facts, plus stated that it was a NICKNAME. For those who weren't around then, the nickname wasn't meant to be complimentary, people called AA that because they thought he was full of BS! I won't get into an edit war over it though. If it happens again I'll just go to an admin.Chahax 04:42, 13 March 2007 (UTC)

I linked Archangel to the phirm wiki (Basically because it needed to be done), but I can't find the website either. I remember it had something about the feds in it, but I don't feel like wading through 7000 usenet posts about Archangel to find it. Does anybody know the website offhand? Sue Rangell 19:53, 12 March 2007 (UTC)

Vandalism is putting a bunch of irrelevant information in the front of a definitive article on a subject. If you want to build a pillar to "Famous" Social Engineers, create a page but don't keep adding lines of text that have nothing to do with the subject, especially before the term is defined. It's like talking about famous painters under "paint" before paint is described - it doesn't make sense. Sorry if I deleted your paragraph prematurely, perhaps quick on the draw before I saw that (gasp) someone is using talk in the SE page - but I wrote most of this article and am used to cleaning up (see past edits). 76.80.8.65 07:15, 13 March 2007 (UTC)

You say you're sorry for deleting his paragraph, but then you went and did it again anyway. A list of prominent social engineers IN THIS ARTICLE is extremely important. You didn't move the name elsewhere on the page, you moved them straight OFF. Finally you claim you've written most of this article, yet this is the first time your IP has appeared here, and even if I were to give you the benefit of a doubt, I would point out that this article is not your own private sandbox to do as you please. Deleteing very important and relevant information is VANDALISM, especially since you have apoligized for doing it once already! Sue Rangell 17:52, 13 March 2007 (UTC)

I wrote the entry after making the change, thus the disparity. No offense was intended, please don't read into it more than that. In any case, the biggest issue with the recent changes is that the writer is confusing Social Engineering with Confidence Tricks and hijacking the opening paragraph with homages to people he likes. It's irrelevant to the article. What might you suggest in this case dear Sue? As for authorship, I prefer to remain anonymous and change my IPs regularly - note that most content comes from anons. 63.138.87.171 20:49, 13 March 2007 (UTC)

Edit War Prevention
I have moved the notable social engineers to their own section, below the explanation area per request. I hope that this solution will satisfy all paties involved. I really do. The whole thing seems more organized and readable too.Sue Rangell 20:10, 13 March 2007 (UTC)

Great move, but was Pappy a Social Engineer or a Con Artist? Per the description of both I'd say he was the latter. SE typically has an end result of information systems access, otherwise it's just a con - no? What would you use as the defining factor between the two?63.138.87.171 20:54, 13 March 2007 (UTC)

Good question. Certainly it seems that the qualifier should be an access to some type of information. It might be a good idea to add a citation request there. If a decent citation cannot be provided, my vote would be to remove the Pappy Boyington reference. Since he was pre-computer age, I don't see why he should get his own blurb in any event.Sue Rangell 21:22, 13 March 2007 (UTC)

Sue I disagree with your view about Pappy Boyington, but i'll go along with it, and here is why- I think you did a hell of a job preventing an edit war between 65:138.87.171 (or whatever) and myself. I tend to get a bit passionate about things I love, and I suspect my counterpart is much the same. I never meant to rock the boat so I will let cooler heads prevail and take a back seat on this issue. Your solution very acceptable, thank you. -Chahax

social engineering of social engineers
Should it be mentioned that even people who social engineer other people for a living aren't immune to social engineering? (I.e. nobody is 100% immune to social engineering) Some people spam the spammers and make them do silly things like balancing a loaf of bread on their head (by social engineering them) as seen on |419eater.com. --Soylentyellow 21:23, 20 May 2007 (UTC)
 * if it can be added in an attributable manner. McKay 14:48, 22 May 2007 (UTC)

"Pretext" redirect and lack of disambiguation
"Pretext" redirects to social engineering even though it is a much larger concept than "pretexting." For example, a link to "pretext" in the Sept. 18, 2007 "On this day..." article on The Mukden Incident links here even though that use of "pretext" has no connection to social engineering. Turtle Falcon 02:25, 18 September 2007 (UTC)

Using social engineering on IT staff
Q. Does this count as social engineering? A hacker calls up the IT helpdesk of a major company and says, "Hi, this is Nathan Sanford in accounting. I forgot my password. My account is nlarson7." Then the IT guy says, "OK, Nathan, I've reset it to abc123." Captain Zyrain 13:24, 22 October 2007 (UTC)

A. Yes, that's a simple example. So too is someone pretending to be from IT and calling users to get their login details, or to download/install a Trojan or ..... NoticeBored 02:50, 6 November 2007 (UTC)

GLBA
There's a paragraph in the GLBA sections that reads:

"U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal cell phone records on the Internet during Wednesday's E&C Committee hearing on “Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?”"

On which Wednesday did this occur? It looks like a copy and paste out of a (copyrighted?) news article. I'll look into references and see if I can find it. --Jds2001 (talk) 15:05, 14 June 2008 (UTC)

Road Apple
An anonymous writer has twice changed the term Road Apple to "baiting." I reverted one assuming it was vandalism, but anon is insistent. I have no problem with baiting being used, but it's a verb - to bait. Great, but what are you baiting with? A road apple. For this thing (a physical device with Malware used as bait) I have heard the term "dropper," "road apple," and "Trojan" to describe it. Perhaps we shoud include all three. I can't find any consensus elsewhere. Thoughts? Lexlex (talk) 14:38, 14 August 2008 (UTC)

No one -anywhere- used the term 'road apple' in an SE context until it appeared in WP. Every single possible citation refers to or includes text from the WP SE article. Therefore, it is not appropriate to include this completely unknown usage here. If it catches on (which it has not) then we can revisit the matter.

I provided a citation, the 'road apple' author, who was anon, did not. It does not matter what terms you have heard, WP:NOR forbids use of unpublished matter. Otherwise, I could have cited 2000 hackers at Defcon taunting Winn for using this term in a Hacker Jeoprady question. Two thousand hackers who had never ever heard the term.

What's wrong with a verb? The article title is a verb. The previous types e.g. phishing, are verbs. Change it to bait, you bait with bait - just don't change it to road apple or anything else you can not find an independent citation for. --71.139.157.149 (talk) 17:03, 14 August 2008 (UTC)


 * Wait - So because the term WAS used at a Defcon event and some people had never heard of it, you're saying it's NOT real? Huh? You kind of just cited a source (though not useable here). I have seen it published in a number of places, have heard it used in colloquial conversation with penetration testers and have used it myself over the past three or four years. Getting shouted down by a bunch of people at Defcon hardly disqualifies a term. I agree though, it needs a reference - I'll dig around and find it. There is some article from a year or so ago in some tech mag talking about road apples in an airport.


 * And again, from a grammatical point of view, "baiting" USES "road apples" or "droppers". They're not mutually exclusive terms - what are you proposing the noun get replaced with? How do you refer to the infected device itself?. Pick:


 * "Hey dude. I just threw 20 road apples at AT&T and 8 have already called in!"


 * "Hey dude. I just threw 20 baiting at AT&T and 8 have already called in"


 * What are you proposing here? Lexlex (talk) 17:49, 18 August 2008 (UTC)
 * Also, please stop changing it back until this is resolved or unless you can find a cite-able source for your term. I can't. You are changing something substantial that has been up for well over a year.Lexlex (talk) 23:01, 18 August 2008 (UTC)


 * You have not found a source that does not refer to this article, so we shall consider this matter closed. Again, I cited a reliable source.--70.235.87.248 (talk) 17:21, 21 August 2008 (UTC)


 * Sorry for talking so long to respond. I wouldn't say so. I read the article you cited and one use of the word "baiting" as a verb is hardly a declarative definition of the attack device we're discussing. Just to be sure, I called Steve Stasiukonis, the author of the article you cited, and also a friend of mine. Without mentioning this dispute, I asked him what he calls the type of attack descibed. He said "salting!" - but he had no word for the device itself other than "salt." Great.


 * What I'm looking for is the declarative NOUN to describe the THE DEVICE with the attached, built in Trojan - not the method. Neither "baiting" or "salting" would apply here. I will defer your change until I have time to look for the article I'm citing, but I'm sure it's Road Apple (and I like it too - it literally means "Horse Shit" -- which is funny and apropos - thus my interest in this). Lexlex (talk) 19:34, 22 August 2008 (UTC)

The noun you are looking for is 'bait', as in "I dropped some bait to see if I got a nibble.", and "Many took the bait.". You can call Kevin Mitnick and ask him what it is called, but WP:NOR so make sure he's written it somewhere citable. --75.0.193.192 (talk) 20:13, 23 August 2008 (UTC)


 * You're right, but read on: I did talk with Kevin about this and we included it in some (not publicly available) course work, but it never caught on. The problem with "bait" is it's too generic - making it necessary to describe the specific process each time. I can "bait" someone into responding to an attack in a myriad of ways that have nothing to do with Trojans implanted into scattered media - a phishing web site, email or even regular mail could be considered bait, a rigged device of any sort would qualify as would a hot chick with a plan (that always works BTW), or just a simple lie - all could be considered "bait" in the context of SE. I'm looking for the term to describe Trojan rigged media. Maybe "TRMs?" Do you see what I mean? Lexlex (talk) 23:00, 23 August 2008 (UTC)

I understand your point, but sometimes terms must be generic. Bait http://www.answers.com/bait&r=67 covers all the possibilities you refer to. We are not supposed to invent terms here, we can only point to citeable and widely accepted usages. -- Same guy who made the edit —Preceding unsigned comment added by 75.0.193.192 (talk) 22:55, 26 August 2008 (UTC)

"Pretext" no longer redirects here
I created the article for the term pretext to emphasize the difference between the term's use in social engineering (i.e. pretexting) and its use in other fields, most notably politics. It no longer redirects here, but includes a section in it's article with a link to social engineering at the top. Lioux (talk) 07:28, 31 October 2008 (UTC)

Grammar
I absolutely hate it how stupid Americans say "them", when they are referring to a single person! --84.250.188.136 (talk) 02:56, 9 May 2008 (UTC)
 * Gee, you sound aggressive. So you're of the camp that would prefer "he/she"? This is a common written English problem of plurality, hardly American. A common "solution" has been to use "they" - and while not grammatically correct, it's certainly getting more common as useage. As a result, many people now use "them" as singular. It is what it is. It's not like everyone here is college edjumacated. By the way, what the hell does this have to do with Social Engineering? Lexlex (talk) 15:18, 9 May 2008 (UTC)
 * This is not an "American" issue really. It's an English language problem. English has no gender neutral pronouns (unless you think referring to people as "it" is acceptable) so using "they" or "them" is substituted to avoid the awkward "he/she" phrasing. It's not "proper" grammar yet, but it's slowly becoming accepted in every day usage.--173.49.81.215 (talk) 19:57, 22 February 2009 (UTC)

Improving this article for review?
I would like to see this article upgraded with more information so we can improve the importance scale. Does anyone agree? What is your opinion? Adamdaley (talk) 10:33, 10 July 2009 (UTC)

Trojan horse/gimmes
This section is misleading. A trojan is simply maleware that hides in or poses as something else. If I write a bad program and name it MSWord2009.zip.exe and offer it to a less attentive distributer of stolen content that too would be a trojan. However the section talks only of email attachments which while Trojans are more commonly dealt with as "email viruses" as the aim of the attachment is to send itself out via email. --Lord Matt (talk) 08:08, 22 November 2007 (UTC)

Yeah, you're right. Although most use of teh term 'Trojan' deals with email. You'll note that 'Road Apple' used to be a subsection of Trojan Horse until someone got confused and changed it. Why not re-write it? 76.90.12.243 (talk) 20:51, 6 January 2008 (UTC)

The "trojan horse/gimmes" part of this artcle sounds like it was written by a bitter IT support worker. I think it needs to be rewritten to remove the subjective terms that infer the stupidity of people that generally recieve emails. Also maybe more examples than just email receipts of trojans as they are distributed in many more ways than just through email attachments and links. Danno81 (talk) 09:41, 29 March 2008 (UTC)


 * I have given the article a mild edit to try and cover what has been discussed here. I'll not be offended if you feel my work requires further work.  --Lord Matt (talk) 15:35, 30 March 2008 (UTC)

No one in the computer security field uses the term "gimme" - it should be removed. --71.139.157.149 (talk) 19:12, 14 August 2008 (UTC)
 * I'm in the computer security field and I use gimme - and I hire people. If I'm interviewing you and you don't know what a gimme is, well I will assume your knowledge is pretty limited. Look up the term before rejecting it out of hand. Lexlex (talk) 14:06, 26 October 2009 (UTC)

Farming
I've never done this before so I hope I'm doing it right. I was wondering if you could add a part onto the Social engineering (security) page. I don't know the proper term or if it was listed, but I'm sure it was not. The term is "Farming." Like the word Farming, you simply use sources or friends of a person to gain better access. In a sense, "conning." You then have their friends, or your friends who have friended them plant little lies about you or your goal. You then become acquainted with this person and convince them these lies are true. You then use this newly found confidence in you to coerce information, or whatever your goal was. TimeShin (talk) 23:12, 25 October 2009 (UTC)


 * I'm not familiar with the term and haven't heard it, but that doesn't mean anything. In order to place it here, however, you have to find another place it's published that can be found by a third person, and reference it. Where have you heard it used? Lexlex (talk) 14:13, 26 October 2009 (UTC)

limits
All this talk on changing the category, and nobody's done it yet? I'll gladly volunteer. 65.9.221.117 19:48, 24 September 2005 (UTC)

Isn't social engineering more than just getting them to reveal sensitive information? Isn't getting them to do something other than that also social engineering? Example: I call up blockbuster, pretend to be another store, ask them to remove my balance, and they do that. That's social engineering ne?

''Yes! Absolutely! Obtaining sensitive information is but one goal, albeit typically the end game of social engineers who are being paid to do their thing. Social engineers, in general, will use deception, guile and bravado (a.k.a. "cojones") to get their marks to reveal sensitive information directly OR unwittingly provide access to such information, for example by loading a Trojan. If the 'sentive information' includes, say, the ROOT password, well, you can see where I'm heading. "All your base is ours". [NoticeBored] — Preceding unsigned comment added by 124.157.71.95 (talk) 06:21, 28 November 2006 (UTC) ''

My concept of social engineering goes beyond just computer security, but security in general. The computer is merely the means to access some information, or the means to perform some action. Replace the computer with an entry porter, or the secretary to a company, or someone's PA and social engineering would apply just the same. As the first comment in this section, I therefore believe this article is too limited. What do others think? -Wikibob | Talk 04:16, 2005 Jun 18 (UTC)


 * Yes again! Sales reps, as a breed, are consummate social engineers.  So too are three-year-olds (trust me, I'm a parent).  Aside from dealing with family friends, a good proportion of human communications could be classified as social engineering in the widest sense.  Politics and sales especially. [NoticeBored] — Preceding unsigned comment added by 124.157.71.95 (talk) 06:21, 28 November 2006 (UTC)

As mentioned above Social Engineering does not just apply to computer Security. And let’s not mix social engineering with manipulation. Three year olds are not social engineers they manipulate. There is a dim line between manipulation and Social engineering but, it is there. Social engineering on the other hand is a means to something else, it is a "planned" process with a "specific" goal to circumvent protocols, i.e. to gather intel for later use in stealing data (Computer Security), or pretending you are another Blockbuster store to clear out a balance is using social engineering to commit fraud. Social engineering should stay within the category Security. Protocols are your processes for protecting what is yours. I.e That the engineer not discuss cost of a project with a sales rep. or employees never give out their passwords. — Preceding unsigned comment added by Fskrc1 (talk • contribs) 07:42, 30 November 2006 (UTC)


 * I think we're basically in agreement here, but with slightly different perspectives. To you, [psychological] manipulation is not social engineering, but to me it is one of many techniques commonly used by social engineers to get their own way with other people.  Others include pretexting, bravado, assertiveness/aggression, appeals for help, straightforward lies and more.  Three year olds use many of these techniques very effectively to get what they want from adults, so in that sense they are consummate social engineers.  I agree they are not hackers, and I'm deliberately not restricting this to social engineering in that more limited sense because I believe there is value in considering the wider breadth of social mmanipulative techniques.  If Wikipedia only puts across the myopic view of social engineering as a hacking activity, readers may remain oblivious and hence highly vulnerable to these other aspects.  NoticeBored (talk) 03:36, 19 August 2010 (UTC) PS  Please sign your talk page comments so we know who we're talking to.

my recent edit
I don't know what "fancier" or "more technical" means here. also, I understand the 'lying' or deception element of a confidence scam but this feels like a horrible opening to an article. open to suggestions. S*K*A*K*K 01:21, 19 November 2010 (UTC)

cattechie and blindness
There was a section underneath notable social engineers about someone called cattechie and several other names of "Brothers" about something they did in Israel. The citation given was cattechie's personal blog, on which I can find no reference to her being blind or any of the supposed facts in the sentence. Ann F (talk) 03:08, 24 January 2011 (UTC)


 * Someone vandalized the article and the citation. I looked up the Badir Brothers and the first reference was a Wired article so I cleaned it up and put it back. Lexlex (talk) 03:29, 25 January 2011 (UTC)

Not sure lagging as an informal synonym for social engineering in the UK is very solid. Blagging referred to roberry back in the day(usually armed - watch reruns of The Sweeney) and now a days would be more of a informal synonym for (less specific) bluffing in general. — Preceding unsigned comment added by 109.232.176.4 (talk) 11:26, 13 June 2011 (UTC)
 * Stripped. No reference, unsigned add. Lexlex (talk) 19:22, 8 October 2011 (UTC)

I have replaired the section on notable social engineers and provided better references. --Sue Rangell &#91; citation needed &#93; 06:36, 10 October 2011 (UTC)
 * Sue I've seen your edits before and they're usually good stuff - fine, but this - it seems like you're pushing original research. First of all why are you removing Steve Stasiukonis' first name? He regularly writes for Dark Reading and others and owns a penetration testing company. His name is Steve Stasiukonis and that's what the references say - not just his last name. Second, your cites for "Archangel" aren't references, you're citing blogs and surveys - and the "person" you're citing has only a handle.


 * You know better than this and you know that in no way, shape or form do these cites pass muster. Sorry if you think I'm being a dick, but your edits don't make sense. What would you suggest here? Can you fix it? If Archangel is truly someone you can cite, find out who he is or at least give an explanation - but anyone, including me, can use that name and there is no proof that I'm not him (or her). Lexlex (talk) 16:39, 10 October 2011 (UTC)


 * I fixed the error with Mr. Steve Stasiukonis. If I accidentally clipped his first name, I sincerely apoligize. As For Archangel, I believe that is his legal name (like "Prince" or "Cher", but i'll check), and the citations are not just blogs and things, Money Magazine is a major mainstream magazine, Phrack is a major magazine of the industry. (How do they not pass muster?) He has been written up in a lot of other major magazines as well, been on TV and Radio, writes for hacker/computer security magazines, etc. To not include him in an article about social engineering would be like not including Einstein or Hawkings in an article about physics. He is already the most cited listed so far, and from mainstream recognizable sources. I will also add that some of the names mentioned have no citations at all. Shall we remove them? Other than Kevin Mitnik he is probably the most recognizable name on the list. --Sue Rangell &#91; citation needed &#93; 23:05, 11 October 2011 (UTC)

Add Pretexting by Police
I am the person who has twice tried to add a paragraph on pretexting by the police. It read:

"Some pretexting comes from where you would least expect it - the officials who are supposed to protect you! In California, many police departments send out computer-generated red light camera "tickets" that have not been filed with the Superior Court and thus have no legal weight.   The intent is to bluff the registered owner into contacting a website, or writing back, and revealing the name, address and driver's license number of the person who was driving the car.  Fake ticket"

The first person who removed it explained his action with this note: "remove opinion and rant without references."

His short note seems to make three assertions. That the article is not factual ("opinion"), that it is a rant, and that it is without refererences. To him:

1. It is factual, albeit something that you didn't know about before. (But learning new things is the purpose of reading an encyclopedia, isn't it?)

2. A "Rant" is "loud, wild, extravagant speech." My paragraph doesn't begin to qualify.

3. The link given at the end of my paragraph refers to a large website with a full discussion of the fake tickets, including images of examples from four cities. —The preceding unsigned comment was added by 71.116.129.206 (talk • contribs).


 * So, now that you've talked on the talk page, and defended yourself. I'm going to add my rebuttals:
 * 1. Highwayrobbery.net isn't notable. Google("link:highwayrobbery.net") returns 25 results, 10 of which are either wikipedia (or derived from it), or are from the site itself. This leaves 15 links. I'd prolly put that at a non-notable level.
 * 2. Now that I've read the content of the page, it's interesting and helpful information, but it is Original Research, which is frowned upon in wikipedia.
 * As a sumary, I don't think that there is a problem with the content, but I think that we should find a better source than the one provided. McKay 13:11, 28 September 2006 (UTC)

While I'm certain your claim is legitimate, that's not the problem with your entry here. Your entry is specific to abuse of power by the police and more appropriate to something dealing with that (e.g. Police abuse of authority or something) It's kind of like discussing how you painted your house under the paint topic: yeah they're related, but someone interested in paint and what it is is not likely interested in your specific experience. Check out: Police to see what I mean. There is a whole area devoted to that topic and your reference to phishing and pretexting would make a lot of sense there and probably open up the minds and eyes of a lot of people who would never look up this stuff normally.24.126.126.105 20:15, 7 October 2006 (UTC)

Five years have passed, it is now late 2011, and I have re-posted the entry. Response to Rebuttal # 1 from 2006, above: highwayrobbery.net, while still the premiere website (whether for profit or not-for-profit) about red light camera tickets in California, is not a major city daily newspaper, so probably never will be immune to "not notable enough" criticism from people who have not read the site. Response to Rebuttal # 2, above: The information first published in highwayrobbery.net in 2006 is now confirmed by major media investigations, three of which are given as references in the new entry. To the suggestion that my entry should not be here but in the article about police misconduct, I paraphrase the person who made that suggestion: This entry will probably open up the minds and eyes of a lot of people who research social engineering but who never would go to an article about the police because not in a million years would it occur to them that the police could be engaged in social engineering. (The people who criticized my entry most likely did not know about Snitch Tickets until they read the entry.) Much of the value of the 'Net is in its ability to provide viewpoints and facts not available in the general media. The unexpected. My article presents information that might well be expected by the skeptics reviewing an article about police misconduct, thus of little value, but that same information would be a significant reality check in an article like this one about social engineering, where conventional thinking expects only the "bad guys" to be featured. Einsteininmyownmind (talk) 05:30, 19 November 2011 (UTC)

In Government Health Solutions...
In Government Health Solutions we encounter Social Engineering tactics as a means for unsubs to gather information on Medicaid or Medicare clients for purposes such as identity theft or locating abducted children. While it is true that some use Social Engineering in attempts to access our systems, the majority of violations occur over the VOIP.

This topic should include discussion of Systems Security, but I would hesitate to merge them. — Preceding unsigned comment added by Vcell68 (talk • contribs) 22:06, 10 January 2007 (UTC)


 * What is unsubs? Einsteininmyownmind (talk) 16:31, 20 November 2011 (UTC)

Diversion Theft
Diversion Theft is not well-written. The article is biased and has a lot of informal language, whereas an encyclopediac tone is required here. If somebody could change that, it would help. Also, the article does not cite even a single source. That makes its contents dubious, and along with the informal language used, it does not seem very realistic or verifiable. I wonder if it's important enough to have so much description too. — Preceding unsigned comment added by 203.187.227.75 (talk) 12:45, 27 February 2012 (UTC)

"Social engineering"
Isn't Kevin Mitnick the person that coined the phrase social engineering'? --Abdull 19:29, 16 Jun 2005 (UTC)


 * NO -- he popularized the term but it's been around longer than he has. It's also known as pretexting. 24.126.126.105 04:43, 18 September 2006 (UTC)


 * I think the term was originally used as a pejorative term for legislation intended to change people's attitudes rather than supporting existing attitudes. For example, an anti-communist might have referred to the USSR's efforts to develop the new soviet man as social engineering. Vice laws might qualify, since they are intended to apply the values of one part of society on an entire society. — Preceding unsigned comment added by 98.150.237.36 (talk) 23:34, 15 September 2012 (UTC)

Perhaps I'm talking to myself, but I had fun writing it...

It's unfortunate that someone has been able to co-opt a perfectly good/legitimate concept and apply it to the act of deception in order to give it some aura of legitimacy and status. I'm not sure which is worse - the lack of imagination demonstrated by authoritative professionals and thought leaders in a position to offer jargon in the world of technology, or the intellectual laziness on the part of those who misuse this and other terms so willingly. Mangling the language is another form of social engineering - right speak spoken here?

Intellectuals, heal thyself!

From Wikipedia... Politics and the English Language (1946) is an essay written by George Orwell in which he criticizes "ugly and inaccurate" contemporary written English and asserts that it was both a cause and effect of foolish thinking and dishonest politics. He calls "vagueness and sheer incompetence" the "most marked characteristic" of contemporary English prose and especially of the political writing of his day. The essay also criticizes contemporary writers for preferring the abstract to the concrete, claiming this reduces precision of thought. He notes that insincerity is the enemy of clear prose and that much contemporary political writing was in defence of the indefensible. Orwell argues that, in addition to being aesthetically unpleasant and disingenuous in its discussion of politics, bad writing is morally wrong.[1] Orwell "believed he was [morally] bound to give as much of himself to his writing as he could" and so "drove himself relentlessly" to avoid the kind of bad writing he describes in the essay.[2]

Orwell asserts that the English language is in decline, but that the decline is reversible. He gives five examples of bad contemporary writing and criticizes them for "staleness of imagery" and "lack of precision." The essay describes the "tricks" his contemporaries used to avoid the work (and thought) of constructing clear prose: overused (or "dying") metaphors, "operators or false verbal limbs" that were used in preference to simple verbs, pretentious diction and "meaningless words." From: http://en.wikipedia.org/wiki/Politics_and_the_English_Language

the dimestoresage — Preceding unsigned comment added by 71.204.6.17 (talk) 14:09, 10 July 2007 (UTC)

Kevin Mitnick, please stop using this article to promote yourself
I have noted several times over the years where either Kevin or his associates have attempted to claim credit or invent terms related to SE. Invariably, he is the sole source of the information. — Preceding unsigned comment added by 69.183.116.255 (talk) 06:07, 1 March 2012 (UTC)
 * An example? Perhaps? Lexlex (talk) 02:51, 4 March 2012 (UTC)

You. You work with Mitnick, earn money from his seminars, and thus should NOT EVER edit any article about or related to him. 70.235.84.138 (talk) 05:20, 8 May 2012 (UTC)

Having been a professional engineer for almost 30 years, I am offended when I see "social engineering" defined as a criminal activity. I wish Wikipedia contributors would not perpetuate this usage of the word "engineering" because it damages the reputation of all engineers. 38.100.146.125 (talk) 21:24, 10 October 2013 (UTC) Barry Russell Green, PE Texas PE license 56685

More SE in Fictional Media
I can list at least supernatural and doctor who, both uses pretext to allow entry to the locations they are not authorized. 77.92.4.40 (talk) 10:58, 7 September 2014 (UTC) Cem Kalyoncu

Add to Further Reading
Hi, I think it would be good to link my website to the "Further Reading" section, as it contains a few articles on how to build rapport, read body language etc., it's a good resource.

http://socialengineers.co — Preceding unsigned comment added by 178.23.219.8 (talk) 18:11, 24 February 2015 (UTC)
 * Thanks for following my advice and discussing the link here. Wikipedia has detailed policies and guidelines covering external links, which I mentioned on your talk page. WP:ELNO states that blogs and forums are not typically used as external links. There is also an issue of WP:NOTHOWTO, in that wikipedia generally neither includes nor links to how-to content. Some other editors may weigh in here with different perspectives, but it is likely that the majority will be against including the link.Dialectric (talk) 18:23, 24 February 2015 (UTC)

"Help stop misinterpretation of phrase “Social engineering” in Wikipedia"
The phrase “Social engineering” is misused in wiki. But it should be used in positive sense. There is a Wikipedia page on it. The wiki page is given below : http://en.wikipedia.org/wiki/Social_engineering_%28security%29

This phrase is described in wiki as: “Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation is also associated with the social sciences, but its usage has caught on among computer and information security professionals.” Why the phrase “Social engineering” should not be misinterpreted? The phrase “Social engineering” consists of two positive words such as “Social” and “Engineering”. Social means: a)     Relating to human society and its members b)      Relating to or belonging to or characteristic of high society c)      Composed of sociable people or formed for the purpose of sociability d)      A party of people assembled to promote sociability and communal activity And engineering means: a)     The discipline dealing with the art or science of applying scientific knowledge to practical problems b)      The practical application of science to commerce or industry Good + Good : Good So two good words combined together to make a phrase denotes good qualities. Therefore, “Social Engineering” phrase should not be used for psychological manipulation of people into performing actions or divulging confidential information. What should be meaning of the phrase “Social engineering”? The phrase “Social engineering” should be well utilized to focus the following: a)     Society building techniques b)      Motivating people to become great c)      Inspire people to learn, work, well behaved, social etc d)      Break the negative thoughts and barriers of people e)     Improve performance of people f)       Great human society building g)     Solve social problems h)      Scientific methods for human social evolution i)       Find out how negative minds can be transformed to positive minds  — Preceding unsigned comment added by 58.137.200.27 (talk) 07:47, 8 June 2015 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 3 external links on Social engineering (security). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive https://web.archive.org/web/20071011191205/http://md.hudora.de/presentations/firewire/PacSec2004.pdf to http://md.hudora.de/presentations/firewire/PacSec2004.pdf
 * Added archive https://web.archive.org/web/20131226121347/http://blogs.computerworld.com/security/20712/interview-worlds-most-famous-hacker-kevin-mitnick-mobile-security-zimperium to http://blogs.computerworld.com/security/20712/interview-worlds-most-famous-hacker-kevin-mitnick-mobile-security-zimperium
 * Corrected formatting/usage for http://home.c2i.net/nirgendwo/cdne/ch14web.htm

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

Cheers.— InternetArchiveBot  (Report bug) 06:34, 15 December 2017 (UTC)

Bogus listings
Ridpath should be there. 185.153.179.4 (talk) 18:04, 22 August 2017 (UTC) Someone keeps putting in a reference to 'Archangel' - A hacker I guess, but the references are bad and no real name is used. I deleted it after I could find nothing on this guy at all in regard to Social Engineering, much less any cite-able reference to "Greatest social engineer of all time." Anyone have comments? Lexlex 04:26, 27 July 2007 (UTC)

Archangel is part of the Backtrack team. The reference I imagine is bogus. He is quite a bit less notable than Kevin Mitnick, Badir Brothers, Christopher Hadnagy, Mike Ridpath and, Steve Stasiukonis. I hope someday Mitnick, Badir brothers, Hadnagy, Ridpath and Stasiukonis can do a panel live for our security conference in Austrailia called Ruxcon. 05:09, 13 September 2011 (UTC) — Preceding unsigned comment added by 76.22.70.248 (talk)

Agreed each of those listed above minus the Badir brothers are speaking at most security conferences just never together. Readded Ridpath and Badir brothers some people seem to have deleted them. — Preceding unsigned comment added by 24.16.72.182 (talk) 00:52, 13 October 2011 (UTC)

As a true Social Engineer i have edited and removed a few people who have listed themselves by trying too hard - hacker names these are not real names of people and are not relevant. — Preceding unsigned comment added by 101.168.255.242 (talk) 12:58, 19 February 2014 (UTC)

Archangel has showed up once again. With a whopping 5 references. The first is a dead link, the next three cannot be verified, the last one links to a dubious website with conspiracy theorist connotations and no bearing on the subject except for the name Archangel. I will remove it. –08:18, 22 September 2014 (UTC) — Preceding unsigned comment added by 2001:67C:2564:A156:221:6AFF:FE65:7F6E (talk)

Sock puppet

Agreed Ridpath should definitely be on there. — Preceding unsigned comment added by 67.132.130.174 (talk) 21:54, 17 December 2015 (UTC)

Sock puppet

I did my masters thesis on social engineering I interviewed Mitnick, Hadnagy and Ridpath. Hadnagy and Ridpath should be added they are the only two people currently adding to this field of research that are listed. Both have been doing this their entire life as you can tell from their talks at the security conventions. --73.109.59.141 (talk) 05:45, 23 January 2019 (UTC)


 * Good for you. WP:OR isn't acceptable here. If your thesis was published, let's see it, but you have a conflict of interest for citing your own work even if it is a reliable source. Funny how all of the sudden this is a pressing issue among IPs who have otherwise never edited Wikipedia. Grayfell (talk) 09:51, 23 January 2019 (UTC)

Agreed with the above however I don't think the other listings are valid. Susan shouldn't be there. Badir brothers haven't done anything in many many years. I have no qualms not having listings of noteable social engineers up I just believe that the ones listed are not correct if we are wanting to say noteable. Chris wrote a bunch of books and ran the social engineering contest. Ridpath and Chris both have been on here for a number of years during the great mitnick edit wars. I think both of them should stay as like the poster above many have used them in their research. I am removing Susan and readding. Please join freenode channel so everyone that's in the discussion can communicate. --159.49.229.147 (talk) 17:19, 23 January 2019 (UTC)

Christopher Hadnagy listing does need to be written it kinda sounds like a promo. I also don't agree with removing Susan as she is historical reference. Please move all conversation that's happening on IRC to this talk page. 159.49.229.138 (talk) 17:33, 23 January 2019 (UTC)

Please post thesis so it can be properly cited. Doing a quick google search for Hadnagy, Mitnick and Ridpath and too much comes back via google search so please post. 159.49.229.147 (talk) 17:42, 23 January 2019 (UTC)


 * The burden is on you to establish consensus that these people belong based on reliable sources. Do not re-add anyone until that consensus has formed. Further, do not add WP:EGG links to imply that these people are more notable than they are according to sources. Mike Ridpath had an article, which was deleted per Articles for deletion/Mike Ridpath. That discussion included a lot of very ham-fisted sock puppetry, as well as a flood of IP addresses behaving similar to those now trying to re-add the name to this article. Assuming that you are indeed separate people, if one of you Seattle-area IPs believes this person is fundamentally significant to this topic, you should be able to find much better sources. If those sources exist, and are reliable, independent, and substantial, consider creating a new draft articles for Ridpath and propose it through WP:AFC. If you bypass this process and create the article directly, it will likely be deleted per the previous discussions. Grayfell (talk) 21:35, 23 January 2019 (UTC)

Why does Chris Hadnagy keep getting deleted. That is where my primary concern is. If someone wants to spend their time creating an article for Ridpath go ahead. He's been on this for a number of years shouldn't be too difficult. 159.49.229.147 (talk) 21:51, 23 January 2019 (UTC)


 * The sources used for this version are:
 * Archives of his podcast
 * Archives of his newsletter
 * Books he wrote (or co-wrote, but for which coauthors are not listed)
 * The section than says he is "a well known public speaker" without any source at all. Wikipedia has a strong preference for WP:SECONDARY sources. We are not a platform for promotion, so if independent sources cannot be used to say why he's well known for something, it's inappropriate for Wikipedia to tell readers that. Without any independent sources at all, this simply doesn't belong. Grayfell (talk) 22:22, 23 January 2019 (UTC)

Chris does have a wiki page right here Christopher Hadnagy. 159.49.229.147 (talk) 18:52, 24 January 2019 (UTC)


 * Yes I know. I cleaned up that article and removed some unreliable sources and promotional filler, and more work is needed. If you know of reliable, independent sources which establish that he is encyclopedically significant to social engineering as a larger topic, propose them here. Grayfell (talk) 21:32, 24 January 2019 (UTC)

Annotated Bibliography for sources for "Pretexting" section (In progress)
Hi All! I have a working annotated bibliography for the pretexting section of this article.

1. Greitzer, Frank L., Sholom Cohen, Andrew Preston Moore, Jeremy R. Strozer. 2014. "Analysis of Unintentional Insider Threats Deriving from Social Engineering Exploits," 2014 IEEE Security and Privacy Workshops, 236-250, doi: 10.1109/SPW.2014.39.

This research paper defines the concept of social engineering and analyzes the way different social engineering attacks are carried out. First, it starts off by informing the reader about the lack of research and peer-reviewed literature that is available on socially engineered unintentional insider threats (UITs) and how they develop. The literature then dives into how social engineering attacks can be categorized into non-interpersonal and interpersonal, which is where pretexting falls into place. Pretexting, in summary, is when the attacker exploits a real scenario or devises a fake one in order to trick the victim into trusting the attacker to fix the problem, usually leading to disclosing valuable information. This is also known as reverse social-engineering. Researchers also analyzed the demographics that were more susceptible to these social engineering attacks, and found that there were not many distinctions between young and old, male or female, and that all were equally vulnerable. Personality traits such as trustworthiness and obedience are what seemed to determine who was more vulnerable. Safeguarding and other technical procedures used to minimize such attacks are often not enough, and the article calls for more understanding of how social engineering attackers use psychological techniques to get what they want. The importance of deception and stealth that is present in many of these attacks is what makes it so difficult for researchers to develop effective prevention strategies. The paper’s goal was to essentially point out the holes in research that are crucial to solving this problem. This source is very helpful, especially with the lack of information available on the topic that the research focuses on. Just as it is important to inform the reader on the topic at hand, it is equally important to inform the reader about what needs to be done further to make the research more impactful and useful. The information is reliable because while it does talk about the positive conclusions from the research, it also discusses what could have been done to improve the research, and gives possible reasons for why the research might have been skewed or why the results came out the way they did. This demonstrates an effort to remain unbiased. In general, the language used in the paper and the research studies used are unbiased and don’t seem to point towards a specific opinion or stance regarding the issue. It simply compiles and smoothly integrates all the information currently available about UITs and social engineering. The targeted audience is both for researchers interested in the field looking for what else needs to be done, as well as business strategists looking to improve security within their companies. This source walks a fine line of being for and not for beginners on the subject. While it does well in having understandable definitions for key terms, it also uses complex tables and graphs that are difficult to interpret if you are unfamiliar with the topic. This paper has contributed to my knowledge of how social engineering attacks work, as well as how difficult it is to research and find solutions for. I realize that everyday occurrences, such as getting suspicious emails or texts with unfamiliar links, can lead to disastrous consequences, and to always be cautious when anything seems unordinary. I would use this as a resource to prove how common things like pretexting are and how it is important to always protect one’s information. It has changed how I think about the topic in allowing me to understand how common social engineering attacks are.

2. Workman, M. 2008. “Wisecrackers: A Theory-Grounded Investigation of Phishing and Pretext Social Engineering Threats to Information Security.” Journal of the American Society of Information Science and Technology 59(4):662-674.

This article discusses two of the rising social engineering attack methods, pretexting and phishing. Pretexting is when the attacker creates a situation for a vulnerable victim where they feel pressured to or unknowingly disclose information about themselves or an organization they work for. The situation at Hewlett Packard where the CEO used pretexting to gain the private information of a journalist to see who had been leaking private information to the press. Some of the most well-known pretexting attacks include those when the attacker poses as a charity organization to gain information. The article also discusses different types of commitments, such as normative commitment, continuance commitment, and affirmative commitment, and how their levels in a person’s traits will make them more or less susceptible to social engineering attacks. The example of telemarketers was used to demonstrate how people use pressure and fear tactics to gain information or force people to use a product. This can also be considered a pretext given how information is obtained. The research study highlighted in the article created different pretext scenarios and analyzed which types of people were at greater risk. The article is organized as summary/background, research, then conclusion/discussion. The results were converted into tactics that the article recommends managers use to prevent social engineering attacks, such as educating employees with high levels of obedience with which information should be shared and not be shared outside of the company. This article is a particularly useful source that seems to be both for researchers and business managers alike. For researchers, it points out considerations within the research it cited and where testing needs to be improved or what potential other tests need to be done. For business managers, it categorizes the personality traits that are most present in people the most vulnerable to social engineering attacks and what methods should be tailored to different types of employees. For example, employees with higher levels of obedience would need different methods than employees with higher levels of affirmative commitment. I would recommend it for others, because I feel that the way the article presents it’s hypotheses, the personality traits they discuss are relatable and easy to understand. While there are tables and graphs, they are easier to interpret. The article had data, rather than being theoretical. There seems to be no major bias within the language of the article. The information I learned in this article is similar to what I learned from the first article. However, I discovered that there are personality traits that are present within victims that can be split up and analyzed. Readers may realize how common the characteristics the article uses to categorize potential victims of social engineering attacks. This will educate people to be more cognizant of the online personas they trust and the links they click on. This could be used as a resource to demonstrate which people are susceptible to pretext attacks, and how organizations can attempt to mitigate such attacks.

3. Ghafir, Ibrahim, Jibram Saleem, Mohammad Hammoudeh, Hanan Faour, Vaclav Prenosil, Sardar Jaf, Sohail Jabbar, and Thar Baker. 2018. “Security threats to critical infrastructure: The human factor”. Journal of Supercomputing, 74(10): 4986-5002.

The purpose of this article is to inform about common social engineering attacks and to propose a possible framework to educate operators about prevention measures. The context of this paper is the consequences and prevention of attacks of critical infrastructure, such as malware and ransomware. For businesses that hold sensitive and private information about their employees and customers, the paper articulates how much more important safety measures are taken. Since 70% of information during awareness training is lost as time passes, it is crucial to incorporate training consistently throughout employment. The proposed defense strategy in the article aims to combine technological and instructor-based defenses and education to create an optimal training against social engineering threats. This comes from studying the pros and cons of 100% computer-based training, such as lowered costs and lesser understanding of the severity of the topic at hand. The paper goes through which departments in a business/organization would need, like IT vs. marketing, as well as what improvements could be made to the current system to provide more accuracy and stability when dealing with cyber attacks. This source is useful and most likely tailored to employees in business management, as it provides a training system that aims to prevent businesses from being susceptible to cyber attacks. The source is objective, and it incorporates a study with empirical evidence to back it up. There is often a debate on how to split up human personality traits, and this article breaks it down into obedience, naivety, and trustworthiness, all of which allow someone to become a victim to social engineering. I would recommend this source to others, as I think that it is clean and easy to read, and splits up its information in a very reasonable way. In terms of the study conducted within the paper, the graphs might be difficult to analyze, but the conclusions of the data are easy to understand. There is no immediate bias within the language of the paper, although it has a sentiment that as humanity innovates, there is more danger than not, which could be a somewhat negative view about technology and its exponential growth. Other than that, it seems pretty unbiased. I personally did not learn anything new from this article that I would find useful in my daily life right now, as it was tailored for a very specific audience. However, I found it interesting how this article split up its taxonomy early in the beginning versus the other articles. I would use this as a source to discuss potential solutions to cyber hazards such as pretexting.

4. Oliveira, Daniela S., Tian Lin, Harold Rocha, Donovan Ellis, Sandeep Dommaraju, Huizi Yang, H., Devon Weir, Sebastian Marin and Natalie C. Ebner. 2019. “Empirical analysis of weapons of influence, life domains, and demographic-targeting in modern spam: An age-comparative perspective.” Crime Science, 8(1):1-14

The purpose of this article is to study the amount of and content of spam emails sent to both young and old people. By studying these contents, researchers hope this will inform privacy training programs and warning tools for organizations and companies that hold sensitive information. They also hope to reveal the method of scammers when creating scam campaigns. The paper begins with talking about related works such as phishing and present spam detections and analyses, then dives into background information about psychological characteristics and ways people can be influenced. Specifically, the Reciprocation principle, Liking principle, and Authority principle were mentioned, all of which are principles with which people tend to act when they are in a certain social situation. Life domains are also used to categorize attacks, specifically in between Incentivized and contextual life domains. Incentivized is when the information in spam seems to be more leisurely, like ads. Contextual is more essential, such as emails having to do with health. The study was then split up into methods, data, and analysis of data. The results determined that spam campaigns targeted age demographics based on characteristics of their life domains. For example, common trends showed young people get offers at stores, whereas old people tended to get spam related to health insurance or retirement. The paper hopes that its findings will be useful for future solutions against cyber hazards. The paper uses some biased language, stating in the beginning that even though the proper name is “psychological principles of influence” for the collection of terms they used, they were going to call them weapons instead for the purposes of driving home how evil these manipulation tactics are. Though this isn’t necessarily a damaging bias to have, and the rest of the paper is very factual and is based on the research conducted and supported by graphs and empirical evidence. The information is reliable as the author cites the other academic journals that support their claims throughout the paper. The targeted audience is definitely business managers and other researchers, as the purpose is to inform about possible training on privacy that organizations can incorporate, as well as what other research can be done in this field. This paper opened my eyes to how even though I think the spam I get is random, it really isn’t. Things like my age and the websites I’ve clicked on influences the spam campaigns that I am a target for. It made me more aware of these things. I feel that this resource will be great in analyzing and giving examples of everyday uses of pretexting attackers use to target vulnerable populations.

5. Airehrour, David, Nisha Vasudevan Nair and Samaneh Madanian. 2018. “Social Engineering Attacks and Countermeasures in the New Zealand Banking System: Advancing a User-Reflective Mitigation Model”. Security in the Internet of Things 9(5):1-18.

The purpose of this journal article is to discuss the research done on attacks in the financial sector in New Zealand, outline a summary of each step in a social engineering attack, and use research to propose mitigation tactics for each stage in the attack. It starts by discussing how vulnerable the financial sector, especially banking, is when it comes to cybersecurity attacks. Of them, social engineering has proved difficult to deal with, as there are rarely any set precautions that can be prevented as such, since each individual person has the ability to make different decisions when approached by a potential attacker. Since psychology and manipulation are key elements in social engineering, it is harder to prevent people from falling from such traps. The article describes an attack cycle as research about the target, developing trust, taking advantage of trust, and ultimately utilizing the information to get what they want. Pretexting, an example of a social engineering attack, is when a person is tricked into giving away information by being manipulated through a false scenario made or exploited by the attacker. The article goes in depth about research done through a user reflective model and how successful it was in the New Zealand banking industry, and ultimately how the data retrieved from the study can call for more effective procedures against cyberattacks. The article is very well-informed and explains why the location of New Zealand was chosen, gives good background information, and presents the data in a way that is understandable for people familiar with the financial sector. I would not recommend this article in general because of the language more suited towards people in the field of finance or research, and the graphs that are presented can be a bit hard to follow. The article is unbiased and the conclusions are purely drawn from the empirical data in the study. While the entire article may not be for everyone, I would recommend reading the background and the last few pages detailing the User-Reflective Mitigation Model. Though the methods of the study and analysis might go over the layman's head, these two specific sections are written for everyone, to inform them that they may have been susceptible to a social engineering attack, and how to take the steps to avoid one in the future. The article is also for managers in the financial sector, as well as researchers learning more about the topic. I believe my perspective has definitely changed. Although I thought that there were very few times where I was the victim of a cyber attack, this article demonstrated that I have probably encountered one plenty more times than I originally expected. I think this would be a good source for my own Wikipedia article when detailing a potential case study talking about the effects of pretexting-like attacks on big sectors.

Thanks! HanMiKC (talk) 17:50, 21 October 2020 (UTC)

Intended edits to the Pretexting sub-section of this article
Hey all! I'm thinking of adding additional information to the subsection "Pretexting" in this article. I'm planning on adding a bit about the history of pretexting and how it relates to the development of social engineering to what it is now, as well as some specific examples that have been used throughout history. I will make these edits bit by bit and do not intend on removing any of the current information. I will inform you all if I do plan on editing existing information out.

Thank you! HanMiKC (talk) 22:06, 7 November 2020 (UTC)