Insider Threat Matrix™Insider Threat Matrix™
  • ID: PR022
  • Created: 26th July 2024
  • Updated: 07th July 2026
  • MITRE ATT&CK®: T1566T1566.001T1566.002T1566.003T1566.004
  • Contributor: The ITM Team

Social Engineering (Outbound)

A subject deceptively manipulates and/or persuades others in order to gain access to devices, systems or services that hold sensitive information, or to otherwise cause harm or undermine a target organization.

Subsections (4)

ID Name Description
PR022.001Outbound Social Engineering via Email

A subject uses email to deceive, manipulate, or persuade another person into disclosing information, performing an action, approving a request, or enabling access that may support a later infringement. The subject may send messages from a corporate mailbox, personal account, spoofed address, compromised account, or third-party service in order to create a convincing pretext.

 

This behavior may involve impersonating a colleague, manager, vendor, customer, service provider, or trusted authority. The subject may use urgency, confidentiality, procedural familiarity, or organizational context to influence the recipient’s decision-making. The intended outcome may include obtaining credentials, internal process information, sensitive documents, access approvals, financial changes, or other information or actions that prepare the subject for further misuse.

PR022.004Outbound Social Engineering via In-Person Interaction

A subject uses direct face-to-face interaction to deceive, manipulate, pressure, or persuade another person into disclosing information, granting access, overlooking a control, or performing an action that may support a later infringement. This behavior may occur in offices, reception areas, secure facilities, shared workspaces, events, meetings, or other physical environments where the subject can influence another person through direct conversation.

 

This behavior may involve impersonation, confidence-building, exploitation of familiarity, false authority, urgency, distraction, or procedural manipulation. The subject may target reception staff, security personnel, colleagues, managers, contractors, vendors, or visitors depending on the access or information required. The intended outcome may include physical entry, badge-assisted access, disclosure of internal procedures, access approval, document retrieval, system use, or the weakening of a control through interpersonal influence.

PR022.003Outbound Social Engineering via SMS or Messaging

A subject uses SMS, mobile messaging, or collaboration messaging platforms to deceive, manipulate, or persuade another person into disclosing information, clicking a link, approving access, moving a conversation to another channel, or performing an action that may support a later infringement. This may involve corporate messaging tools, personal messaging applications, mobile numbers, or externally hosted communication services.

 

This behavior may exploit the informal, immediate, and trusted nature of messaging channels. The subject may rely on urgency, familiarity, limited message context, or out-of-band communication to reduce scrutiny and influence the recipient’s response. The intended outcome may include credential capture, information disclosure, access approval, link interaction, process bypass, or coordination of activity outside formal organizational workflows.

PR022.002Outbound Social Engineering via Voice

A subject uses voice communication to deceive, pressure, or persuade another person into disclosing information, changing a control, approving access, or taking an action that may support a later infringement. This may occur through corporate telephony, mobile calls, voice over IP services, conference platforms, helpdesk calls, or external calling infrastructure.

 

This behavior may involve impersonation, false authority, urgency, familiarity, or procedural manipulation. The subject may contact service desk personnel, administrators, reception staff, colleagues, vendors, or other individuals who can influence access, identity verification, physical entry, operational processes, or administrative controls. The intended outcome may include account recovery, password reset assistance, disclosure of internal procedures, access approval, security exception handling, or other enabling action.