Chapter 9 Exercises: Social Engineering Reconnaissance

Exercise 1: Pretext Design from OSINT

Difficulty: Intermediate | Estimated Time: 1 hour

You have gathered the following OSINT about a target organization: they use Microsoft 365 for email, Salesforce for CRM, annual HIPAA compliance training occurs in January, the CEO is traveling to a conference next week, and a new IT director started two weeks ago. Design three social engineering pretexts (one email phishing, one vishing, one physical) that leverage this specific OSINT. For each pretext, identify which of Cialdini's influence principles it exploits, explain why you chose the specific target, and describe the expected outcome.

Exercise 2: Organizational Mapping

Difficulty: Intermediate | Estimated Time: 1.5 hours

Using only publicly available information, map the organizational structure of an authorized target organization (or a publicly traded company for educational purposes). Using LinkedIn, the company website, press releases, and other public sources, identify: (1) at least 5 executives and their titles, (2) at least 3 departments with their heads, (3) the approximate number of IT/security staff, (4) the email format, and (5) at least 10 employee email addresses. Create an organizational chart and a target prioritization matrix rating each employee as a social engineering target.

Exercise 3: Influence Principle Identification

Difficulty: Beginner | Estimated Time: 30 minutes

For each of the following social engineering scenarios, identify which of Cialdini's seven influence principles are being exploited. Some scenarios may use multiple principles.

  1. "Everyone in your department has already completed the security verification."
  2. "I helped you fix that printer last month — can you let me into the server room?"
  3. "This is the CISO. I need immediate access to the incident response logs."
  4. "This special rate on the security training platform expires at midnight tonight."
  5. "As fellow alumni of State University, I thought I'd reach out about this opportunity."
  6. "You mentioned you'd be happy to help with the audit. I just need the network diagram."
  7. "Hi! I'm the new contractor. Great office you have here — is that a guitar in the corner?"
  8. "The security patch must be installed before 5 PM or your account will be permanently disabled."

Exercise 4: Target Prioritization Framework

Difficulty: Intermediate | Estimated Time: 45 minutes

Design a scoring framework for prioritizing social engineering targets. Your framework should consider: role-based access level, position in hierarchy, tenure (new vs. experienced), social media exposure, communication style, and department. Assign numeric weights to each factor and explain your reasoning. Apply your framework to a hypothetical set of 10 employees (you may use the MedSecure example from the chapter) and rank them by social engineering target priority.

Exercise 5: Elicitation Techniques Practice

Difficulty: Intermediate | Estimated Time: 45 minutes

Write scripts for five different elicitation techniques (assumed knowledge, deliberate false statement, flattery/expertise appeal, quid pro quo, and naivete play) that could be used during a vishing call against an IT help desk analyst. For each technique: (1) write the specific dialogue, (2) explain the psychological mechanism, (3) identify what information you are trying to extract, and (4) describe how a well-trained employee should respond.

Exercise 6: Physical Security Assessment Plan

Difficulty: Intermediate | Estimated Time: 1 hour

Using Google Maps, Google Street View, and any available satellite imagery, conduct a physical reconnaissance assessment of a building in your area (your own workplace, school, or a public building). Document: entry/exit points, visible access control mechanisms, CCTV camera positions and coverage, lighting conditions, loading dock access, smoking areas, and any observable employee behaviors. Create a physical security assessment report with annotated screenshots and identify the three most promising physical social engineering approaches.

Exercise 7: Phishing Campaign Design

Difficulty: Advanced | Estimated Time: 2 hours

Design a complete phishing campaign for an authorized engagement. Your campaign plan should include: (1) target selection and justification (at least 3 waves targeting different employee groups), (2) pretext design for each wave with email templates, (3) infrastructure requirements (domains, email servers, landing pages), (4) success metrics and tracking plan, (5) timeline with specific dates and times for each wave, (6) rules of engagement and stop conditions, and (7) a plan for constructive employee feedback after the campaign. Use GoPhish as the assumed campaign platform.

Exercise 8: Deepfake Awareness Assessment

Difficulty: Intermediate | Estimated Time: 45 minutes

Research three documented cases where deepfake audio or video was used in social engineering attacks or fraud. For each case, document: (1) the technology used, (2) how the deepfake was created, (3) the social engineering pretext, (4) the financial or security impact, (5) how the attack was detected, and (6) what defensive measures could have prevented it. Based on your research, write a one-page executive brief recommending deepfake countermeasures for a mid-size organization.

Exercise 9: Social Media Policy Review

Difficulty: Intermediate | Estimated Time: 1 hour

Draft a social media security policy for a hypothetical organization (or review your own organization's policy). The policy should address: (1) what professional information employees should not share on LinkedIn (specific technologies, security tools, internal project names), (2) guidelines for accepting connection requests from unknown individuals, (3) rules about sharing photos from the workplace, (4) guidance on responding to unsolicited messages requesting work-related information, and (5) reporting procedures for suspicious social media interactions. Compare your policy against the OSINT techniques described in this chapter to ensure it addresses the major threat vectors.

Exercise 10: Physical Recon Checklist Development

Difficulty: Beginner | Estimated Time: 45 minutes

Create a comprehensive physical reconnaissance checklist that a penetration tester could use during an authorized physical security assessment. Organize your checklist into categories: perimeter security, entry points, access controls, surveillance systems, employee behavior, waste disposal, and wireless exposure. Include at least 40 individual check items. For each item, note whether it can be assessed from public areas or requires being on-premises.

Exercise 11: Vishing Script Development

Difficulty: Advanced | Estimated Time: 1.5 hours

Write three complete vishing (voice phishing) scripts for different pretexts: (1) IT support calling about a security incident, (2) a vendor representative calling about an account update, and (3) a researcher conducting a "security awareness survey." Each script should include: the opening introduction, verification steps (to build false legitimacy), the core request, objection handling (what to say if the target is suspicious), and a graceful exit strategy. Include notes about tone, pacing, and rapport-building techniques.

Exercise 12: SE Campaign Analysis

Difficulty: Intermediate | Estimated Time: 1 hour

Analyze the following hypothetical social engineering campaign results and provide recommendations:

  • Wave 1 (Generic phishing to all 500 employees): 65% open rate, 22% click rate, 8% credential submission
  • Wave 2 (Targeted IT department, 30 employees): 80% open rate, 45% click rate, 18% credential submission
  • Wave 3 (Executive spear phishing, 10 employees): 90% open rate, 30% click rate, 20% credential submission
  • Report rate across all waves: 3% (15 employees reported the phishing to security)

Questions: (1) Which wave was most effective and why? (2) What does the 3% report rate indicate about security culture? (3) What specific training recommendations would you make? (4) How would you design the next campaign to measure improvement?

Exercise 13: Ethics Scenario Analysis

Difficulty: Intermediate | Estimated Time: 45 minutes

Analyze the ethical implications of each scenario:

  1. During employee profiling, you discover that a target employee has recently posted about a family medical emergency. Your pretext for phishing could reference a "health insurance update." Should you use this pretext?

  2. Your client asks you to specifically target the CEO's executive assistant because "she falls for everything." Is this appropriate? What should you communicate to the client?

  3. During physical reconnaissance, you observe an employee entering their building access PIN. Should you document and use this information?

  4. A vishing call target becomes very emotional and says they are afraid they will be fired if their computer was hacked. What should you do?

  5. Your phishing campaign achieves a 40% credential submission rate from the finance department. The CFO wants the names of every employee who failed. What are your obligations?

Exercise 14: Reconnaissance Integration

Difficulty: Advanced | Estimated Time: 2 hours

Using findings from Chapters 7, 8, and 9, create an integrated reconnaissance report for the MedSecure Health Systems running example. Your report should synthesize passive OSINT, active technical reconnaissance, and social engineering reconnaissance into a unified intelligence picture. Include: an attack surface map, a technology inventory, an organizational chart, a target prioritization matrix, recommended attack vectors, and a proposed testing plan for the engagement's active phases. The report should demonstrate how findings from each reconnaissance type inform the others.

Exercise 15: Defensive Countermeasures Design

Difficulty: Advanced | Estimated Time: 1.5 hours

Based on the social engineering techniques covered in this chapter, design a comprehensive defensive program that includes: (1) a security awareness training curriculum with specific modules addressing phishing, vishing, physical social engineering, and deepfakes, (2) technical controls to detect and prevent social engineering attacks (email filtering, caller ID verification, visitor management), (3) organizational policies (verification procedures for financial transactions, information sharing guidelines, incident reporting), and (4) metrics to measure the program's effectiveness. Your program should address all major attack vectors discussed in this chapter.