Train From Home on Your Schedule with OnDemand - Special Offers Available Now

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Social Engineering

Featuring 20 Papers as of January 4, 2019

  • Defend Your Business Against Phishing Analyst Paper (requires membership in community)
    by Matt Bromiley - January 4, 2019 

    Phishing is an ever-evolving and pervasive method of attack against small- and medium-sized businesses (SMBs). Don't let your business be an easy target! After walking you through the phishing techniques that attackers commonly use, Matt Bromiley shares proven strategies and specific, actionable steps you can take today to reduce your risk. No matter your budget or level of expertise, you can defend against phishing attacks.

  • Countering Impersonation, Spearphishing and Other Email-Borne Threats: A Review of Mimecast Targeted Threat Protection Analyst Paper (requires membership in community)
    by Jerry Shenk - January 24, 2017 

    The FBI estimates that between October 2013 and August 2015, more than 7,000 U.S.-based organizations lost a total of $748 million to business email scams. Such scams rely on the same tricks as confidence artists in the real world: the appearance of legitimacy and the tendency of victims to go along with requests that appear to be on the up-and-up, without checking to be sure. In this whitepaper, SANS senior analyst Jerry Shenk evaluates Targeted Threat Protect, an email-security service from Mimecast that is focused on stopping sophisticated phishing attacks. Among its most difficult targets: “whaling” attacks that spoof high-level executives asking for sensitive data, access or the transfer of money to accounts owned by scammers.

  • Methods for Understanding and Reducing Social Engineering Attacks Graduate Student Research
    by Michael Alexander - May 3, 2016 

    Social engineering is arguably the easiest way for an attacker to penetrate the defenses of an organization.

  • The SANS 2013 Help Desk Security and Privacy Survey Analyst Paper (requires membership in community)
    by Barbara Filkins - July 16, 2013 
    • Sponsored By: RSA

    Survey/report will serve as a starting point to promote awareness and help bridge the educational gap between what a help desk is and what a secure help desk should be.

  • PDF Obfuscation - A Primer by Chad Robertson - October 15, 2012 

    PDF, or Portable Data Format, is a widely used business file format that is often the target of exploitation.

  • Covert Channels Over Social Networks by Jose Selvi - June 4, 2012 

    Today we live in a malware age, with the malware industry growing exponentially (AV-Test, 2012).

  • Which Disney© Princess are YOU? by Joshua Brower - March 18, 2010 

    Social engineering takes many form; some obvious, some not so obvious. One not so obvious form is that of questionnaires—be it a knock on the door to answer a survey for a “census” worker, or a “harmless” quiz found on a social networking site. Depending upon their content, they can serve as a very powerful means of capturing and correlating information for nefarious purposes.

  • Social Engineering: Manipulating the Source by Jared Kee - October 14, 2008 

    A company has a duty to every employee to inform and prepare them for social engineering attacks. If it fails to do so, it WILL become a victim of such attacks. The methods described in this paper will detail methods you can use for your company’s aversion of social engineers.

  • Social Engineering Your Employees to Information Security by Martin Manjak - December 19, 2006 

    Information security should be part and parcel of a set of internal controls that govern the processes, operations, and transactions that constitute the life of the organization.

  • Corporate Identity Fraud: Life-Cycle Management of Corporate Identity Assets by Bryan Fite - April 3, 2006 

    The advent of the World Wide Web has provided many new and innovative ways for organizations to conduct business. It has also exposed organizations to new and innovative forms of trademark & brand abuse. Corporate Identity Fraud can be defined as the abuse of traditional and nontraditional identity assets with the intent to divert, deceive or defraud consumers.

  • The Inside Story: A Disgruntled Employee Gets His Revenge by Heather Kratt - February 10, 2005 

    In this paper, I will present the fictional story of a disgruntled employee who exacts revenge on his employer by stealing sensitive customer information and posting it on a public website. While the character is fictional, the security risk he represents is quite real. I will describe his motive for attacking his employer's network, analyze the tools and techniques that he used to circumvent existing security measures, and detail the steps involved in the attack process.

  • Psychology: A Precious Security Tool by Yves Lafrance - June 9, 2004 

    Security specialists have to master many technologies to help organizations being more secured. People tend to forget an important factor influencing computer security: The human factor. Understanding attackers' motivation can help to improve security measures.

  • Social Engineering by Aaron Dolan - April 8, 2004 

    It's not always what you know, it's who you know. Whether it is a good deal on a product, a free place to stay on a vacation or the extra edge to beat out competition for a job, knowing the right people helps people get the things they want.

  • Understanding and Auditing by Chris Jones - March 3, 2004 

    Social engineering is an oft-underestimated threat that can be warranted against through education and policies and procedures. While most companies are utilizing training and introducing new policies and procedures to combat social engineering, the only way they can be sure these methods are effective is through auditing specifically for these types of attacks.

  • The Threat of Social Engineering and Your Defense Against It by Radha Gulati - October 31, 2003 

    This paper describes various forms of Social Engineering, its cost to the organization and ways to prevent social engineering attacks, highlighting the importance of policy and education.

  • A Multi-Level Defense Against Social Engineering by David Gragg - March 13, 2003 

    This paper will add value to the security community in three ways: by incorporating the current social psychological research into the discussion of understanding and resisting social engineering; by using the psychological literature to provide a multi-level defensive strategy for hardening employees to social engineering threats; and by developing the concept of "social engineering land mines" as a part of the multi-level defense against social engineering.

  • Corporate Espionage 201 by Shane Robinson - February 15, 2002 

    This paper presents some background information on corporate espionage, who is doing the spying, how it is being done, a few real life examples, and some guidelines to follow in order to protect a business from becoming a victim.

  • The Enemy Within: A System Administrator's Look at Network Security by Lawrence Dubin - January 7, 2002 

    This paper addresses the intrusion detection and measures of protection.

  • Social Engineering: A Means To Violate A Computer System by Malcolm Allen - October 12, 2001 

    The purpose of this paper is to act as a guide on the subject of Social Engineering and to explain how it might be used as a means to violate a computer system(s) and/or compromise data and the counter-measures that can be implemented to protect against such an attacks.

  • A Proactive Defence to Social Engineering by Wendy Arthurs - August 2, 2001 

    This paper addresses the need for good policies to defend against social engineering attacks, as well as an effective, on-going security awareness program.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.