Introduction

“There was no such thing as a fair fight. All vulnerabilities must be exploited.”

—Cary Caffrey

Social engineering. Those two words have become a staple in most IT departments and, after the last couple years, in most of corporate America, too. One statistic states that more than 60 percent of all attacks had the “human factor” as either the crux of or a major piece of the attack. Analysis of almost all of the major hacking attacks from the past 12 months reveals that a large majority involved social engineering—a phishing e-mail, a spear phish, or a malicious phone call (vishing).

I have written two books analyzing and dissecting the psychology, physiology, and historical aspects of con men, scammers, and social engineers. And in doing so, I have found that one recent theme comes up, and that is e-mail. Since its beginning, e-mail has been used by scammers and social engineers to dupe people out of credentials, money, information, and much more.

In a recent report, the Radicati Group estimates that in 2014 there was an average of 191.4 billion e-mails sent each day. That equates to more than 69.8 trillion e-mails per year.1 Can you even imagine that number? That is 69,861,000,000,000— staggering, isn't it? Now try to swallow that more than 90 percent of e-mails are spam, according to the information on the Social-Engineer Infographic.2

E-mail has become a part of life. We use it on our computers, our tablets, and our phones. In some groups of people that I've worked ...

Get Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.