Chapter 26 Further Reading: Social Engineering Attacks

Essential Books

"Social Engineering: The Science of Human Hacking" by Christopher Hadnagy (2nd Edition) The definitive textbook on social engineering from the founder of Social-Engineer.org. Covers psychological principles, attack methodology, information gathering, and physical social engineering with practical examples. The second edition includes updated material on modern attack techniques.

"Influence: The Psychology of Persuasion" by Robert B. Cialdini The foundational work on influence and persuasion that underpins social engineering theory. Cialdini's six (later seven) principles of influence -- reciprocity, commitment/consistency, social proof, authority, liking, scarcity, and unity -- are directly applicable to understanding why social engineering works.

"The Art of Deception" by Kevin Mitnick Written by the most famous social engineer in history, this book illustrates social engineering techniques through compelling real-world scenarios. While some technical details are dated, the psychological principles and attack patterns remain highly relevant.

"Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails" by Christopher Hadnagy and Michele Fincher A focused treatment of phishing from both offensive and defensive perspectives. Covers phishing psychology, campaign design, technical implementation, and building effective anti-phishing programs.

"Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" by Kevin Mitnick Mitnick's autobiography provides fascinating first-person accounts of social engineering operations against major corporations and government agencies. The book illustrates how social engineering was used to bypass technical controls long before phishing existed.

"Thinking, Fast and Slow" by Daniel Kahneman Nobel laureate Daniel Kahneman's work on cognitive biases and decision-making provides the scientific foundation for understanding why social engineering exploits work. The distinction between System 1 (fast, intuitive) and System 2 (slow, analytical) thinking explains why urgent social engineering attacks bypass critical evaluation.

Research Papers and Industry Reports

"Verizon Data Breach Investigations Report (DBIR)" — Annual Publication The annual DBIR provides comprehensive statistics on social engineering as an attack vector, including phishing, pretexting, and BEC trends. Available free at verizon.com/dbir.

"FBI Internet Crime Complaint Center (IC3) Annual Report" The IC3 annual report documents financial losses from social engineering attacks, with BEC consistently ranking as the highest-loss category. Available at ic3.gov.

"NIST Special Publication 800-61: Computer Security Incident Handling Guide" Includes guidance on responding to social engineering incidents, from phishing to physical intrusion. Available at csrc.nist.gov.

"The Human Factor" — Proofpoint Annual Report Proofpoint's annual report focuses specifically on the human element of cybersecurity, with detailed analysis of phishing trends, social engineering techniques, and click rates across industries.

"Mandiant M-Trends Report" — Annual Publication Mandiant's annual threat report covers nation-state social engineering campaigns, including detailed analysis of techniques used by APT groups. Provides real-world case studies of social engineering in advanced persistent threat operations.

Online Resources and Tools

GoPhish Documentation and Community The official GoPhish documentation (docs.getgophish.com) provides comprehensive guides for setting up and running professional phishing campaigns. The community GitHub repository includes templates and integrations.

Social Engineering Toolkit (SET) Documentation SET documentation and tutorials are maintained alongside the tool at github.com/trustedsec/social-engineer-toolkit. TrustedSec also publishes blog posts and conference presentations on social engineering methodology.

Evilginx2 Documentation The Evilginx2 project (github.com/kgretzky/evilginx2) provides documentation on advanced phishing with MFA bypass. Understanding this tool is essential for assessing the strength of an organization's MFA implementation.

OSINT Framework osintframework.com provides a comprehensive, categorized collection of OSINT tools and resources organized by information type. Essential for the reconnaissance phase of social engineering assessments.

Have I Been Pwned Troy Hunt's haveibeenpwned.com allows checking whether email addresses and passwords have appeared in known data breaches. Useful for both OSINT (during authorized assessments) and personal security hygiene.

PhishTank phishtank.org provides a collaborative clearinghouse for phishing data, including verified phishing URLs and email templates. Useful for research and for training AI-based phishing detection systems.

Defensive Resources

"SANS Security Awareness Maturity Model" SANS provides a maturity model for building and measuring security awareness programs. The model progresses from compliance-focused training to building a security culture. Available at sans.org.

"Anti-Phishing Working Group (APWG) Reports" The APWG publishes quarterly phishing activity trend reports and hosts annual symposiums on electronic crime. Available at apwg.org.

KnowBe4 Security Awareness Training Resources KnowBe4 publishes research, infographics, and educational materials on social engineering defense. Their blog covers emerging social engineering techniques and training strategies.

FIDO Alliance Resources on Phishing-Resistant Authentication The FIDO Alliance (fidoalliance.org) provides specifications, implementation guides, and case studies for FIDO2/WebAuthn phishing-resistant authentication, which is the primary technical defense against credential phishing.

Training and Certifications

Certified Social Engineering Prevention Specialist (CSEPS) Social-Engineer.org's certification focuses specifically on social engineering defense, including building awareness programs, conducting assessments, and implementing technical countermeasures.

SANS SEC567: Social Engineering for Penetration Testers SANS course covering social engineering methodology, phishing campaigns, vishing, physical social engineering, and reporting. Includes hands-on labs and exercises.

Offensive Security Experienced Penetration Tester (OSEP) While not exclusively focused on social engineering, OSEP covers client-side attacks, phishing campaigns, and social engineering as components of advanced penetration testing.

CompTIA PenTest+ Includes social engineering testing in its examination objectives, covering phishing, vishing, impersonation, and physical social engineering assessment methodology.

Podcasts and Video Resources

"The Social-Engineer Podcast" Hosted by Christopher Hadnagy, this podcast covers social engineering topics including interviews with practitioners, case study analysis, and technique discussions.

"Darknet Diaries" by Jack Rhysider A narrative podcast covering true stories of cybercrime, social engineering, and hacking. Multiple episodes focus on social engineering incidents with detailed storytelling.

DEF CON Social Engineering Village Presentations The Social Engineering Village at DEF CON hosts live social engineering demonstrations, competitions (Social Engineering CTF), and educational presentations. Past recordings are available online.

  1. Read Cialdini's "Influence" for psychological foundations
  2. Study Hadnagy's "Social Engineering" for methodology
  3. Practice OSINT gathering against your own digital footprint
  4. Set up GoPhish in a lab and run campaigns against your own addresses
  5. Study the DBIR and IC3 reports for current threat data
  6. Explore SET in a lab environment for attack vector familiarization
  7. Research Evilginx2 to understand MFA bypass phishing
  8. Study FIDO2/WebAuthn as the primary technical defense
  9. Design a security awareness program using the SANS maturity model
  10. Consider CSEPS or SEC567 for formal certification