The 1% Social Engineering Toolkit
The stuff that actually works. Not the GitHub list you bookmarked and forgot.
One-Line Flow: How teenagers stole hundreds of millions using phone calls, fake emails, and cloned badges โ every technique, tool, and script they used, broken down.

Why This Exists
74% of breaches involve a human getting played. Not hacked. Played.
The Awesome Social Engineering repo? Thatโs the tutorial level. This is the game.
Scattered Spider Changed Everything
A bunch of teenagers stole hundreds of millions from Fortune 500s using phone calls and fake IT tickets.
No zero-days. No nation-state backing. Just social engineering so good itโs embarrassing.
The body count:
- MGM + Caesars (2023) โ $100M+ impact
- 165+ Snowflake customers including AT&T, Ticketmaster (2024)
- Marks & Spencer, Co-op, Harrods (2025) โ ยฃ300M+ losses
๐ฏ Their Exact Playbook (CISA AA23-320A)
Full advisory: cisa.gov/news-events/cybersecurity-advisories/aa23-320a
How they get in:
| Move | What It Actually Looks Like |
|---|---|
| Help Desk Social Engineering | Call IT, claim youโre locked out, get MFA reset |
| MFA Fatigue | Spam push notifications until victim rage-accepts |
| SIM Swap | Pay carrier insider $500-$5K to port victimโs number |
| Voice Clone | AI-generate CEOโs voice from earnings call audio |
| Evilginx Phishing | Real-time session hijack, MFA means nothing |
The script that works:
โHi, this is [Name] from [Department]. Iโm locked out and have a critical deadline. My manager [Managerโs Name] is in a meeting. I just need my MFA reset โ my phoneโs acting up so Iโm calling from a different number.โ
They call end-of-day. Staff are tired. Nobody verifies.
After compromise:
- Join the companyโs incident response calls to watch them hunt
- Use legitimate tools (TeamViewer, Ngrok) so EDR sleeps
- Create fake LinkedIn profiles for cover
MITRE ATT&CK profile: attack.mitre.org/groups/G1015
BEC: The $16.6 Billion Quiet Heist
Business Email Compromise makes more money than ransomware. Nobody talks about it because thereโs no flashy ransom note.
2024 stats:
- Average loss per incident: $129,000
- AI-generated BEC emails: ~40%
- Year-over-year increase since ChatGPT: +1,760%
FBI IC3 page: fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
๐ช The BEC Kill Chain
RECONNAISSANCE
โโ LinkedIn, SEC filings, press releases
โโ Map who approves payments, who travels when
CREDENTIAL THEFT
โโ Phish the executive or their assistant
โโ Buy creds from stealer log markets
MAILBOX TAKEOVER
โโ Set up forwarding rules (silent copy of everything)
โโ Learn their writing style, signature, emoji habits
โโ Wait for a big pending payment
STRIKE
โโ CFO is traveling? Perfect.
โโ "Urgent wire needed for confidential acquisition"
โโ "Don't discuss until announced"
CASH OUT
โโ Mule accounts โ crypto โ gone in hours
Real example: Orion (Luxembourg chemical company) lost $60 million in August 2024. One employee. Fraudulent wire instructions. Thatโs it.
SIM Swap: Your Phone Number Is a Liability
FBI IC3: $68 million stolen in 2021 alone. 5x the previous three years combined.
Jack Dorsey got SIM swapped. The SECโs Twitter account got SIM swapped. Youโre not special.
FBI PSA: ic3.gov/PSA/2022/PSA220208
๐ How It Works
1. OSINT the target (social media = security question answers)
2. Call carrier: "Lost my phone, need new SIM"
3. Pass verification with gathered PII
4. OR: Pay carrier insider ($500-$5,000 per swap)
5. Victim's phone dies. Attacker gets all SMS.
6. Trigger password resets. Intercept 2FA codes.
7. Drain everything.
The insider problem is real. Threat actors openly discuss having contacts at every major US/Canada carrier. This isnโt speculation โ itโs in their negotiations.
Deep dive: Group-IB SIM Swap Research
Voice Cloning: 5 Seconds Is All They Need
The Arup deepfake video call cost $25-39 million. CFO + colleagues. All fake. All AI.
๐ The Open-Source Pipeline
| Tool | Audio Needed | Quality | Link |
|---|---|---|---|
| Chatterbox | 5-10 sec | Beats ElevenLabs in blind tests | GitHub |
| GPT-SoVITS | 5 sec | Excellent with fine-tuning | GitHub |
| Tortoise TTS | 3 min | Highest fidelity, slow | GitHub |
| RVC | Variable | Enhancement layer | GitHub |
| XTTS v2 | 6 sec | 16 languages | Coqui AI |
Where they get voice samples:
- Earnings calls
- YouTube interviews
- Conference talks
- Podcasts
- That one LinkedIn video you posted
Googleโs own red team cloned a clientโs voice, called their employee, said โHey boss, whatโs up?โ โ employee downloaded the payload. Exercise complete.
Badge Cloning: Physical Access in 3 Seconds
Most corporate RFID systems are misconfigured. Legacy support enabled. Default keys unchanged.
๐ง The Hardware
| Device | Price | Use Case | Link |
|---|---|---|---|
| Proxmark3 RDV4 | ~$400 | Everything. Gold standard. | proxmark.com |
| Flipper Zero | ~$200 | Portable, user-friendly | flipperzero.one |
| Chameleon Ultra | ~$150 | Excellent emulation | GitHub |
Elevator proximity clone:
- Stand close to target
- Proxmark in bag, antenna facing them
- 2-3 seconds. Done.
- Clone to blank card
The pretext:
โHi, building security. Weโre upgrading card readers this week โ need to scan your badge to check compatibility. Takes one second.โ
iClass downgrade attack docs: github.com/RfidResearchGroup/proxmark3/blob/master/doc/hid_downgrade.md
Long-range gooseneck reader build: github.com/sh0ckSec/RFID-Gooseneck
ESP-RFID-Tool: github.com/rfidtool/ESP-RFID-Tool
Smishing Infrastructure: 194,000 Domains and Counting
The Smishing Triad registered 194,000+ phishing domains since January 2024.
29% active less than 2 days. 71% gone within a week. Registered in Hong Kong. Hosted on US cloud. Targeting 121+ countries.
Full report: unit42.paloaltonetworks.com/global-smishing-campaign
๐ก The Supply Chain
| Role | Job |
|---|---|
| Data Brokers | Sell phone number lists |
| Domain Sellers | Register disposable domains |
| Kit Developers | Build phishing pages + dashboards |
| SMS Spammers | Bulk delivery via SIM boxes |
| Blocklist Scanners | Rotate domains before theyโre flagged |
Underground service: Oak Tel / Carrie SMS
- Supports spoofing major US bank Sender IDs (Chase, BofA, Wells Fargo)
- ~$8 per 1,000 messages
- Operated via Telegram
Resecurity analysis: resecurity.com/blog/article/smishing-triad-is-now-targeting-toll-payment-services
Initial Access Brokers: The Ransomware Supply Chain
IABs break into networks and sell access to ransomware crews. Itโs eBay for corporate backdoors.
๐ฐ The Market
Pricing (2023-2024):
| Access Type | Price Range |
|---|---|
| RDP | $500-$5,000 |
| VPN | $1,000-$10,000 |
| Domain Admin | $10,000-$50,000+ |
Where: Exploit, XSS, RAMP forums
The pipeline:
IAB gains access โ Lists on forum โ RaaS affiliate buys โ Ransomware deployed โ Payment split (70-80% affiliate / 20-30% RaaS)
36% of listings target US companies. Finance and retail get hit hardest.
Deep dives:
Psychological Manipulation: Beyond Cialdini
Everyone knows the 6 principles. Hereโs what actually gets exploited in phishing:
๐ฏ The 10 Cognitive Biases That Work
| Bias | How Itโs Weaponized |
|---|---|
| Curiosity | โYour package has arrivedโ |
| Authority | Impersonate IT, executives, legal |
| Urgency | โ24 hours to respondโ |
| Negativity | Threats, warnings, fear |
| Conformity | โYour colleagues already completed thisโ |
| Zero-Risk | โVerify now to protect your accountโ |
The 4-Stage Hijack:
- Attention Capture โ Urgency + curiosity โ System 1 engaged
- Trust Construction โ Logos, titles, familiar domains
- Critical Bypass โ Emotion overrides analysis
- Action โ Click before thinking
Academic source: Cognitive Biases in Phishing Emails (PDF)
The Toolchain
โ๏ธ Phishing Stack
| Tool | Purpose | Link |
|---|---|---|
| Evilginx3 | Reverse proxy, captures session cookies, bypasses MFA | github.com/kgretzky/evilginx2 |
| Gophish | Campaign management + tracking | getgophish.com |
| evilgophish | Evilginx + Gophish combined | github.com/fin3ss3g0d/evilgophish |
| Modlishka | Alternative reverse proxy | github.com/drk1wi/Modlishka |
| Muraena | Transparent reverse proxy | github.com/muraena/muraena |
| SET | Social-Engineer Toolkit | github.com/trustedsec/social-engineer-toolkit |
| Zphisher | Quick phishing site generation | github.com/htr-tech/zphisher |
| SocialFish | Mobile-friendly phishing | github.com/UndeadSec/SocialFish |
Phishlets: github.com/An0nUD4Y/Evilginx2-Phishlets
Pretext templates: github.com/L4bF0x/PhishingPretexts
๐ OSINT Stack
| Tool | Use | Link |
|---|---|---|
| SpiderFoot | 200+ modules, automated recon | github.com/smicallef/spiderfoot |
| Maltego | Graph-based link analysis | maltego.com |
| Sherlock | Username across 300+ sites | github.com/sherlock-project/sherlock |
| theHarvester | Email/subdomain enumeration | github.com/laramies/theHarvester |
| Recon-ng | Modular framework | github.com/lanmaster53/recon-ng |
| GHunt | Google account intel | github.com/mxrch/GHunt |
| Holehe | Email-to-account matching | github.com/megadose/holehe |
Google dorks that work:
site:target.com filetype:pdf
"target company" filetype:xls "password"
site:linkedin.com "target company" "IT manager"
site:target.com ext:sql | ext:bak | ext:log
๐ VoIP/Caller ID Spoofing
DIY setup:
- Install Asterisk on VPS
- Register with VoIP provider (Skyetel, Telnyx)
- Get DID (~$0.50/month)
- Configure custom Caller ID in dialplan
- Spoof away
Tools:
- Viproy (Metasploit VoIP toolkit)
- inviteflood (Kali Linux)
- SIPVicious
Guides:
Spoofing itself isnโt illegal (US). Misrepresenting identity for fraud is.
FBI Elicitation Techniques
The 20 techniques. The ones that actually matter:
| Technique | How It Works |
|---|---|
| Assumed Knowledge | Pretend you already know; they fill gaps |
| Deliberate False Statement | Say something wrong; they correct you |
| Flattery | Compliment expertise; they elaborate |
| Silence | Let the uncomfortable pause do the work |
| Bracketing | Estimate high/low; they correct to real number |
| Quid Pro Quo | Share first; reciprocity triggers |
Chain them: Flattery โ Assumed Knowledge โ Silence โ Feigned Ignorance
Vishing best practices: social-engineer.org
DEF CON SECTF
Since DEF CON 18. Contestants vish real Fortune 500 companies from a soundproof booth. Live audience watches.
Flags: OS versions, browser types, VPN vendors, org charts, cafeteria vendor names.
Winner gets: Black badge (lifetime DEF CON entry).
Communities:
- se.community (SECVC Discord)
- BREAKDEV Discord (Evilginx)
SE Village: sevillage.org
Red Team Resource Repos
| Repository | Content |
|---|---|
| Red-Teaming-Toolkit | Comprehensive tool list |
| Awesome-Red-Teaming | Books, courses, resources |
| red-team-scripts | Scripts and automation |
| awesome-phishing | Phishing-specific collection |
| Awesome-Cybersecurity-Handbooks | Cheatsheets |
Glossary
| Term | Meaning |
|---|---|
| PhaaS | Phishing-as-a-Service |
| IAB | Initial Access Broker |
| MFA Fatigue | Push bomb until they accept |
| Phishlet | Evilginx config file |
| Stealer Logs | Creds from infostealer malware |
| Blitz Price | Buy-now price vs auction |
| VEC | Vendor Email Compromise |
| PACS | Physical Access Control System |
| SID | Sender ID (SMS spoofing) |
Sources
- CISA AA23-320A (Scattered Spider)
- Microsoft Octo Tempest Analysis
- Palo Alto Unit42 Smishing Triad
- FBI IC3 Reports
- KELA IAB Research
- Flare Threat Intelligence
- Resecurity
- Verizon DBIR
- Proxmark3 Docs
For authorized security testing only. Social engineering without explicit authorization is illegal. Know your laws. Get permission. Document everything.
!