SocEng
Deflection.
Objective
Social engineering is a human attack that uses technology as a delivery mechanism. Every firewall is irrelevant if a human being can be convinced to open the door for an adversary who asks nicely. This SOP provides a structured deflection framework for front-line personnel (receptionists, helpdesk, EAs) who need simple, repeatable scripts to follow when something feels wrong.
The Adversarial Levers
Every social engineering attack uses at least two of these psychological triggers to bypass logic:
Authority & Urgency
Impersonating power to trigger deference, combined with artificial time constraints designed to force a fast, biological decision instead of a logical one.
Reciprocity & Social Proof
Doing a small favor to manufacture a social debt, or referencing other employees who have "already complied" to validate the request's legitimacy.
The V.E.R.I.F.Y. Deflection Matrix
Voice the Pause. Say: "I want to help you with this. Let me just confirm a couple of things." This signals cooperation while buying time for the Prefrontal Cortex to re-engage.
Establish Identity Independently. Never verify using a phone number or email address the requestor provided. Look up the internal directory and initiate a new callback.
Refuse to Rush. Legitimate authority figures understand verification delays. Only attackers need you to act before you think. Reframe delays as ensuring accuracy.
Inspect for Anomalies. Notice slight spelling changes in email addresses, unfamiliar voice tones, or a suspicious absence of background noise on a phone call.
Follow the Chain. Escalate ambiguous requests to Tier 2 (Supervisors). "Use your judgment" is not a valid protocol. It is an invitation to fail.
Yield No Credentials. No employee should ever provide a password, MFA code, or API key in response to an unsolicited request. No exceptions.
Full Manual Contents:
- The "Verify & Deny" Scripting
- Out-of-Band Verification Rules
- Role-Play Training Methodologies
- Live Simulation Measurement Metrics
- Handling Executive Pushback
- Identity Proofing Standards