Non-Lawyers Summary

Social engineering — phishing, vishing, pretexting, impersonation — sits in a legal no-man's-land where a signed pen test scope letter often provides less protection than operators assume. Federal wire fraud (18 U.S.C. § 1343), impersonation statutes (18 U.S.C. § 912), ECPA wiretapping (18 U.S.C. § 2511), and state all-party-consent recording laws can all reach conduct that a client explicitly authorized, because a company cannot legally authorize a tester to commit fraud against its own employees or record calls without those employees' consent. This module maps every major social engineering technique to the exact statutes that govern it, the case law that defines liability limits, and a clear safe/grey/red matrix for practitioners.

Without warning, the bank's HR director received an email from the CEO. The subject line was urgent. The message was urgent. The tone was exactly right — terse, executive, unmistakably him. She clicked the link, entered her corporate credentials, and forwarded the thread to payroll as instructed. The wire transfer was processed within twenty minutes. The "CEO" was a pen tester. His scope letter, signed by the bank's CISO, said social engineering was authorized. His attorney would spend the next fourteen months arguing that authorization.

The problem was not the phishing. The problem was what happened after. The tester had pivoted on the captured credentials — accessed the HR director's email, downloaded a personnel file to demonstrate the depth of the compromise, and included a screenshot of it in his report. That screenshot contained real employee Social Security numbers. The scope letter had authorized "credential harvesting." It said nothing about data exfiltration. And the moment he downloaded that file, he was no longer a pen tester demonstrating a vulnerability. He was, under federal law, a person who had obtained property by means of a fraudulent scheme transmitted over interstate wires.

The line between authorized social engineering and federal wire fraud is not drawn by your scope letter. It is drawn by what you do with what you take, who actually suffers harm, and whether any statute exists that the company cannot legally authorize you to violate in the first place. There are several. This module maps all of them.

What This Module Answers Fast

  • My scope letter says "phishing employees is authorized" — can I be prosecuted for wire fraud? → Possibly yes. Authorization by the company does not eliminate the "scheme to defraud" element if the employees themselves never consented and suffered cognizable harm (emotional, privacy, or data harm). The answer depends on what you did with the captured credentials.
  • I recorded a vishing call without telling the target. Legal? → Federal ECPA § 2511 requires at least one-party consent — so if you are a party, federal law is satisfied. But California, Florida, Illinois, and 12 other states require ALL-PARTY consent. A call touching a California employee from any state is exposed under CA Penal Code § 632.
  • I pretexted as a vendor to a bank employee to get account info. My client is the bank. → This is GLBA pretexting (15 U.S.C. § 6821) regardless of client authorization. The FTC has taken enforcement action on exactly this scenario.
  • I spoofed caller ID to show "IT Helpdesk" on the call. Is that the Truth in Caller ID Act? → Yes, 47 U.S.C. § 227(e). The statute makes spoofing illegal only when done "with intent to defraud, cause harm, or wrongfully obtain anything of value." Pen test intent is a defense argument, not a statutory exemption.
  • My phishing email sent malware that accidentally damaged a server. → CFAA § 1030(a)(5)(A) — intentional damage — and potentially wire fraud § 1343 apply simultaneously. Scope authorization for phishing does not authorize damage.

1. Wire Fraud Exposure — 18 U.S.C. § 1343

The Anatomy of a "Scheme"

The email looked exactly like it was from the CEO. It asked for wire transfer instructions. The employee complied. Whether the person who sent it was a criminal or a pen tester came down to one question: was there a scheme to defraud?

18 U.S.C. § 1343 criminalizes using "any wire, radio, or television communication in interstate or foreign commerce" as part of a "scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises." Maximum penalty: 20 years per count (30 years if the fraud affects a financial institution or is related to a federally declared disaster).

Elements the government must prove:

  1. The defendant voluntarily and intentionally devised or participated in a scheme to defraud.
  2. The scheme involved material misrepresentations.
  3. The defendant used interstate wires in furtherance of the scheme.
  4. The defendant intended to defraud.

The Case That Defined the Limit — United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997)

He browsed records he shouldn't have. He looked at political opponents. He looked at acquaintances. He never took anything, never profited, never disclosed what he found. The government charged wire fraud. The First Circuit said no.

United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997) is the case that defines the outer boundary. Czubinski was an IRS employee who browsed taxpayer records without authorization — including records of political opponents and acquaintances — but took no data, profited nothing, and disclosed nothing. The First Circuit reversed his wire fraud conviction because browsing alone, without an actionable "scheme" to obtain money or property, did not satisfy the § 1343 elements. Mere unauthorized snooping was not wire fraud.

Czubinski's significance for social engineering: authorization by the client company does NOT create a scheme-to-defraud, but lack of intent to obtain "money or property" is the key exculpatory fact. A vishing caller who extracts credentials but then immediately hands them to the client without exploiting them further occupies the same space Czubinski did — arguably no completed scheme to defraud. But a tester who uses extracted credentials to move laterally, access data, or demonstrate account takeover is walking directly into scheme-to-defraud territory because "property" under McNally v. United States and Carpenter v. United States includes intangible property rights, including the right to control confidential information.

When Authorization Eliminates Exposure — And When It Doesn't

A scope letter that explicitly authorizes phishing and vishing eliminates the "intent to defraud" element only if:

  • The tester takes no more than the scope authorizes.
  • The tester does not actually convert any obtained asset.
  • The client has legal authority to authorize the specific conduct (see Section 8 on third-party harm).

Authorization does NOT eliminate wire fraud exposure when the phishing email itself makes materially false statements that target employees reasonably rely on to their detriment — for example, a credential harvest that causes an employee to change their password and lose access to business-critical accounts temporarily. Harm flows not from the tester's intent but from the causal chain.

2. Federal Impersonation Statutes

2.1 — The Line You Cannot Cross, No Matter What Your Contract Says

The scope letter said "social engineering is authorized." The tester memorized his cover story. He walked into the building and told the security guard he was with the FBI. That single word — "FBI" — crossed a line that no scope letter in existence can touch.

False Personation of a Federal Officer — 18 U.S.C. § 912

Section 912 makes it a federal felony to impersonate a federal officer, agent, or employee with the intent to deceive. Penalty: up to 3 years. This is not a misdemeanor. Relevant scenarios:

  • Impersonating an FBI agent during a physical pen test to gain access to a server room: § 912 felony regardless of scope letter. The target company cannot authorize the tester to impersonate federal law enforcement against its own employees or third parties.
  • Impersonating an FDIC examiner to social engineer a bank: § 912 applies. FDIC impersonation has resulted in prosecutions in financial sector social engineering fraud cases (see Real Cases, Section 10).
  • Impersonating a TSA inspector at a facility: § 912 + potentially 49 U.S.C. § 46314 (airport security impersonation), both felonies.

No scope letter, no matter how broad, can authorize § 912 impersonation because the statute protects the integrity of federal authority, not just the interests of the client.

2.2 — The Fake Badge in Your Toolkit: Identity Document Fraud — 18 U.S.C. § 1028

Section 1028 targets production, transfer, or use of false identification documents. Creating a fake "FBI credentials" badge or a counterfeit corporate ID card to use during a physical social engineering engagement is § 1028 exposure. Penalty: up to 15 years if the fraud "facilitates a drug trafficking crime or act of terrorism"; up to 5 years for standard violations.

Key practice issue: many physical pen test kits include prop credentials. If those props are "document-like" — laminated cards formatted to resemble genuine ID documents — § 1028(a)(2) (transferring a "document-making implement" or false identification document) applies even to props never intended for actual fraud. The scope letter is a defense argument, not an immunity grant.

2.3 — Impersonating Vendors and IT Support: Wire Fraud in Disguise

Impersonating a vendor ("Hi, I'm from Microsoft — we need your credentials to update your account") or IT helpdesk is not covered by § 912 (not a federal officer) but is squarely within § 1343's "false pretenses" element if there is any property obtained. This is the most common social engineering vector in both legitimate pen tests and criminal BEC schemes, which is why courts apply the same statute to both.

3. ECPA/Wiretapping Exposure — 18 U.S.C. § 2511

He pressed record the moment the mark picked up. Under federal law, that was fine — he was a party to the call. But the mark was sitting in a San Francisco office. That changed everything.

The Electronic Communications Privacy Act, 18 U.S.C. § 2511, prohibits intentional interception of wire, oral, or electronic communications. The federal statute contains a critical exception: a participant in the conversation may record it without the other party's consent (18 U.S.C. § 2511(2)(d) — the "one-party consent" rule). This means a vishing caller who is a party to the call is not intercepting it under federal law.

However, § 2511(2)(d) carves out cases where the interception is done for "the purpose of committing any criminal or tortious act." If the vishing call is part of an unauthorized scheme — i.e., the scope letter is defective — the exception collapses and § 2511 exposure revives.

11 states plus Washington D.C. require all-party (two-party) consent to record a phone call: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington.

California Penal Code § 632 is the most litigated. It prohibits recording a "confidential communication" without the consent of all parties, regardless of where the recorder is located, if any party to the call has a reasonable expectation of privacy. Penalty: up to $2,500 per violation plus potential criminal misdemeanor. In civil litigation, evidence obtained in violation of § 632 is inadmissible under § 632(d).

Practice implication: A red team operator in Texas (one-party consent state) who calls a California employee and records the conversation without disclosure violates California Penal Code § 632 even though no California law applies to the operator's physical location. California courts have exercised jurisdiction in these scenarios. The safe practice is to always announce recording at the start of a vishing call, even though this undermines the pretext — or to obtain written consent from all employees before the engagement begins (common in red team master service agreements).

Credential Capture via Vishing

Capturing credentials during a vishing call is not "interception" under ECPA — it is the content of a communication the tester is party to. The ECPA issue arises when the tester routes the call through equipment that stores or retransmits the audio to a third party (e.g., an operator monitoring the call from a separate terminal). That configuration creates a § 2511 interception issue for the monitoring party even if the primary caller has one-party consent.

4. Pretexting Under GLBA — 15 U.S.C. §§ 6821–6827

The Bank Hired You. That Doesn't Mean You Can Lie to Its Customers.

She called the bank pretending to be an IT vendor. The bank was her client. The bank told her the engagement was authorized. What nobody told her was that the statute she was about to violate existed to protect the bank's customers — not the bank.

Scope of the Prohibition

The Gramm-Leach-Bliley Act's pretexting provisions (15 U.S.C. § 6821) prohibit obtaining "customer information of a financial institution relating to another person" through "false, fictitious, or fraudulent statements or representations." Penalty: up to 5 years imprisonment under § 6823.

This statute reaches any person who uses false pretenses to obtain financial records — including authorized pen testers. The FTC has taken enforcement action against data brokers who "pretexted" financial institutions, and there is no explicit pen test exemption in the statute or its implementing regulations.

FTC Enforcement and Pen Testing Banks

In FTC v. Hewitt (and related FTC actions against pretexting data brokers, 2006–2010), the Commission confirmed that §§ 6821–6827 apply broadly to any third party — not just the financial institution itself — who engages in pretexting to obtain customer financial records. A pen tester who calls a bank employee pretending to be an IT vendor and extracts customer account numbers or login credentials has likely violated § 6821, even if the bank hired the pen tester.

The gap: GLBA pretexting protects customer information. If the pen tester only extracts employee credentials and does not reach customer account data, § 6821 does not apply. But any scenario where the social engineering path touches customer records — even transiently — triggers GLBA exposure.

Practical Safe Harbor

Document explicitly in the scope of work that the engagement will NOT involve accessing or obtaining customer financial data. Require the client to quarantine customer data from any systems the tester will target. Include a GLBA-specific representation in the authorization agreement indemnifying the tester for any incidental exposure to customer financial records.

5. Email Phishing — CAN-SPAM, CFAA, and Wire Fraud

The Beacon That Became a Crime Scene

The phishing email went out at 9 AM. By 9:43 AM, one employee had clicked the link and the beacon had executed. It was a benign payload. It was also a CFAA event.

CAN-SPAM Act — 15 U.S.C. § 7701

The CAN-SPAM Act applies to commercial electronic mail messages — email sent for commercial advertising or promotion. A pen test phishing email is typically not commercial in nature and therefore not covered by CAN-SPAM. However, if the phishing email mimics a commercial email (e.g., a fake invoice from a vendor, a fake PayPal notification) and is sent to employees at scale, the line blurs.

CAN-SPAM penalties are primarily civil (up to $51,744 per violation under FTC enforcement as of 2024) and are almost never applied to pen test scenarios. The statute is included here because criminal CAN-SPAM violations (18 U.S.C. § 1037) apply when email is used in connection with other offenses including identity theft and wire fraud — creating a sentencing enhancement risk when phishing is part of a larger unauthorized engagement.

CFAA § 1030(a)(5) — Damage via Malware Payload

A phishing email that delivers a malware payload — even a benign payload like a "beacon" or a credential harvester — triggers CFAA § 1030(a)(5) analysis. Section 1030(a)(5)(A) requires intentional damage; § 1030(a)(5)(B) requires intentional transmission and negligent causation of damage. "Damage" under CFAA § 1030(e)(8) means "any impairment to the integrity or availability of data, a program, a system, or information."

A beacon that establishes a C2 connection causes "impairment to the integrity" of the target system even without destroying data — because it modifies the system's operation. Scope authorization for "phishing" does not necessarily include authorization for "code execution on target systems," and many scope letters are silent on this distinction. The prudent practice is to explicitly list in the scope letter: phishing email (credential harvest only), phishing with macro/payload execution, or phishing with persistence establishment — each as a separately authorized capability.

Wire Fraud as the Wrapper Offense

Prosecutors routinely charge phishing as wire fraud (§ 1343) rather than CFAA because wire fraud carries higher sentences, applies extraterritorially more easily, and has no minimum damage threshold. Every phishing email is an interstate wire communication. The scheme-to-defraud element is satisfied by the email's false representation of sender identity. For unauthorized phishing, this is a straightforward charge. For authorized pen test phishing gone wrong, see Section 1.

6. SMS/Vishing Attacks — TCPA and Truth in Caller ID Act

Your Caller ID Lie Has Its Own Federal Statute

The number on the screen said "IT Helpdesk." It wasn't. Somewhere in the FCC's rulebook, that fact was already a violation waiting to be triggered.

TCPA Bulk SMS — 47 U.S.C. § 227

The Telephone Consumer Protection Act prohibits sending unsolicited text messages using an automatic telephone dialing system (ATDS) to a cell phone without prior express consent. Penalty: $500–$1,500 per message. A SMiShing campaign sending bulk SMS to employee cell phones — even within an authorized engagement — may violate TCPA if the sending system qualifies as an ATDS and the employees have not consented to receive those messages.

Courts have split on what constitutes an "ATDS" after Facebook v. Duguid, 592 U.S. 395 (2021), which narrowed the definition to systems that use a random or sequential number generator to dial. A targeted list of specific employee numbers may not trigger TCPA. But a mass-SMS tool configured to send to an employee directory import could.

Client authorization does not eliminate TCPA liability because the statute protects individual cell phone subscribers, not the employer who hired the pen tester. Employees have standing to sue under TCPA's private right of action.

Truth in Caller ID Act — 47 U.S.C. § 227(e)

The Truth in Caller ID Act prohibits "knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm, or wrongfully obtain anything of value." Two critical points:

"Intent to defraud, cause harm, or wrongfully obtain anything of value" is a conjunctive requirement. A pen tester spoofing the target company's own IT helpdesk number, with explicit authorization, and with the documented intent of testing employee security awareness — argues no intent to defraud, cause harm, or wrongfully obtain value. This is the strongest safe harbor argument for caller ID spoofing in an authorized engagement.

But: If the spoofed call extracts credentials that the tester then uses in any unauthorized way, or if the employee suffers account lockout or data loss as a result of acting on the spoofed call, the "cause harm" prong is satisfied and the safe harbor collapses.

FCC enforcement: The FCC issued rules implementing the Truth in Caller ID Act (47 C.F.R. § 64.1604) and has fined robocallers up to $225 million. Enforcement against individual pen testers has not occurred, but the statutory exposure exists.

7. State Deceptive Practices Laws

California Business & Professions Code § 17200

California's Unfair Competition Law (UCL) prohibits "any unlawful, unfair, or fraudulent business act or practice." Section 17200 is extraordinarily broad — it borrows violations from other statutes ("unlawful" prong) and independently captures conduct that is "unfair" even if not illegal. A social engineering engagement that causes California employees to suffer data exposure, account compromise, or workplace harm could support a § 17200 claim by a California AG or private plaintiff (via Proposition 64 standing requirements).

The UCL is primarily civil, but injunctive relief and restitution orders can end a security firm's engagement with California clients. The statute has no pen test exemption.

State Computer Crime Laws Reaching Social Engineering

Several states criminalize social engineering even without technical access to computer systems:

  • California Penal Code § 502(c)(1): "Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network." Accessing data through socially engineered credentials is "access without permission" from the employee who was deceived.
  • New York Penal Law § 156.05 (Unauthorized Use of a Computer): accesses a computer "without authorization," which New York courts have interpreted to include access obtained through false pretenses.
  • Texas Penal Code § 33.02: Breach of computer security — includes access obtained through deception.
  • Florida Statutes § 815.06: Offenses against computer users — covers "willfully, knowingly, and without authorization" accessing a computer, with social engineering as a recognized unauthorized access vector.

None of these statutes have express pen test exemptions. Authorization from the employer is the primary defense, but the third-party employee consent problem (Section 8) applies in every state.

8. The Authorization Gap No One Talks About

What a Company Can and Cannot Sign Away on Behalf of Its People

The company signed the contract. The CISO approved the engagement. The scope letter covered phishing. But nobody told the employee — and that employee has rights the company cannot waive.

What a Company Can and Cannot Authorize

A corporation can authorize a pen tester to:

  • Send phishing emails to corporate email addresses the company controls.
  • Attempt to access systems the company owns.
  • Conduct vishing against employees on company-owned phone extensions.

A corporation cannot authorize a pen tester to:

  • Record personal cell phone conversations of employees without those employees' consent (employees' statutory rights under ECPA and state wiretap laws are not waiveable by their employer).
  • Extract personal credentials (e.g., an employee's reused Gmail password) — those belong to the employee, not the company.
  • Cause emotional distress or personal harm to employees, even in service of a security test (state tort law applies; the company cannot consent to tortious acts against its own employees on behalf of a contractor).
  • Impersonate federal officers (§ 912 — no third-party authorization possible).
  • Commit GLBA pretexting against customer records (§ 6821 — the customer's privacy rights are not owned by the financial institution).

Third-Party Harm: The Critical Boundary

When phishing targets a company employee, there are two parties: the company (client) and the employee (individual). The company can consent on its own behalf but not on behalf of the employee's personal legal interests. This creates the authorization gap:

  • Authorized by company: access to company systems via employee credentials.
  • NOT authorized by anyone: the employee's right not to be deceived, the employee's personal data captured during the deception, and the employee's cell phone privacy.

Courts have not yet settled this question in the pen test context, but the framework from Van Buren v. United States, 593 U.S. 374 (2021) is instructive: authorization must come from the holder of the relevant interest, not a third party. The company holds the interest in its systems; employees hold the interest in their personal data and communications.

Practical Mitigation: The Pre-Engagement Notice Solution

The most reliable mitigation is HR-level notice to all employees: "The company engages periodic security testing including simulated phishing and phone-based social engineering. Participation in company systems constitutes consent to such testing." This notice, when properly documented, effectively converts employees from non-consenting third parties into informed participants — closing the ECPA recording gap, the TCPA gap, and the state wiretap gap for company-owned communications.

9. Safe / Grey / Red Matrix

TechniqueSafeGreyRed
Phishing email (credential harvest only)Written scope authorization; no malware; no customer data reachedAuthorization exists but scope is ambiguous on payload typeNo authorization; malware payload; customer data extracted
Vishing (recording the call)One-party-consent state; tester is a party; no all-party-consent state employeeAll-party-consent state employee; HR notice given but not individually confirmedNo notice; California/Florida/Illinois employee; third-party monitoring the call
Pretexting as vendor/IT supportExplicit scope authorization; no GLBA-covered data reached; no § 912 officer impersonationAuthorization exists; call touches financial data incidentallyGLBA customer records obtained; no scope authorization; bank target without explicit GLBA carve-out
Impersonating IT helpdeskWritten scope; caller ID spoofs company's own number; Truth in Caller ID "no intent to harm" documentedCaller ID spoofed; authorization unclear; employee suffers account lockoutFederal officer impersonated (§ 912 felony — always red regardless of authorization)
SMiShing (bulk SMS)Targeted list of corporate numbers; non-ATDS system; scope authorizedATDS-adjacent system; employee personal cell numbers included; no TCPA analysis performedMass SMS to personal numbers without consent; ATDS used; no scope authorization
LinkedIn research (OSINT)Passive viewing of public profilesScraping at scale (LinkedIn ToS violation — civil, not criminal)Creating fake personas to interact with employees (§ 1343 wire fraud risk if scheme element present)
Dumpster divingOff-premises dumpster in public space; no trespassMixed commercial/residential facility; ambiguous trespass zoneTrespass required; municipal ordinances prohibiting; secure document destruction zone entered
Shoulder surfingPublic area; no recording deviceRecording with device in all-party-consent stateEntering restricted area to observe; recording without consent

10. Real Cases: Prosecutions for Social Engineering

10.1 Seven Years, One Bribery Scheme — United States v. Fahd, 2019 (CDCA)

For seven years, Muhammad Fahd ran a social engineering operation that didn't look like hacking. It looked like LinkedIn recruitment and then cash payments. He targeted AT&T customer service employees — not their systems. The employees did the rest.

Fahd orchestrated a seven-year scheme bribing AT&T customer service employees to unlock AT&T-branded phones for resale, and later to install malware on AT&T internal systems. Social engineering was the access vector: Fahd recruited insiders via social media ("LinkedIn-style" contact), then escalated to direct bribery. Fahd was convicted of wire fraud conspiracy (§ 1343) and conspiracy to violate CFAA. Sentence: 12 years. The case establishes that social engineering of insiders — even non-technical social engineering — supports wire fraud conspiracy charges when money or property flows as a result.

10.2 The Twitter Heist — United States v. O'Connor, 2023 (SDNY); United States v. Clark, 2020 (NDCA)

In July 2020, the most famous accounts on Twitter — Barack Obama, Elon Musk, Jeff Bezos, Joe Biden — all began tweeting the same message: "Send Bitcoin and I'll send double back." The technical hack was simple. The social engineering that enabled it was not.

Joseph O'Connor (aka "PlugwalkJoe") was convicted in 2023 of wire fraud, computer fraud, and cyberstalking arising from SIM swap attacks that hijacked Twitter executives' phone numbers during the July 2020 Bitcoin scam. The SIM swap was executed by social engineering T-Mobile and AT&T customer service representatives — no technical hacking required. Sentence: 5 years. Wire fraud charged under § 1343 because the phone calls to carrier customer service were interstate wires in furtherance of the scheme.

Graham Ivan Clark ("Kirk"), then 17, was the Twitter insider who executed the actual account takeovers after O'Connor's SIM swaps. Clark pleaded guilty in Florida state court (the case was declined by federal prosecutors due to his age) to fraud and computer crime charges. The prosecution confirms: social engineering of a company's own employee (Clark was bribed/socially engineered) carries the same criminal exposure as technical hacking.

10.3 The Scale of Industrialized Deception — United States v. Ogoshi, 2023 (D.Nev.)

Business Email Compromise (BEC) is industrialized social engineering at scale. Nigerian-based BEC operators were convicted of wire fraud (§ 1343) for sending phishing and spear-phishing emails impersonating vendors and executives to trick companies into wiring funds to attacker-controlled accounts. The social engineering element — impersonating a known vendor via email — was the entire offense. The phishing emails were the "wire" under § 1343. Combined losses across all defendants in DOJ's 2023 BEC enforcement sweep exceeded $55 million.

10.4 The Federal Impersonation Bright Line — FTC and DOJ FDIC Actions, Ongoing

The FTC and DOJ regularly prosecute fraud schemes involving impersonation of FDIC examiners to social engineer bank customers and bank employees. While most prosecuted cases involve fraud against civilians (not authorized pen tests), the prosecutions confirm that § 912 applies to banking-sector impersonation and that no authorization from the bank can legalize the impersonation of a federal regulator.

11. Checklist: Before Any Social Engineering Engagement

  1. Scope specificity: Does the authorization letter explicitly name each technique (phishing email, vishing, SMiShing, pretexting, physical impersonation)?
  2. Malware authorization: If a phishing payload will execute code, is code execution explicitly authorized? On which specific systems?
  3. Recording state check: Identify the state of every employee on the vishing call list. Flag all-party-consent states. Obtain individual consent or restrict calls to one-party-consent states.
  4. GLBA check: Is the target a financial institution or does any social engineering path touch customer financial records? If yes, add a GLBA carve-out to the scope agreement.
  5. No federal officer impersonation: Confirm the engagement plan contains zero impersonation of federal agents, officers, or regulators. This is a hard line — not negotiable regardless of client instruction.
  6. Cell phones: Are employee personal cell phone numbers included in the target list? If yes, TCPA analysis required before bulk SMS.
  7. Caller ID spoofing: Document in writing that caller ID spoofing is authorized, the numbers that will be spoofed, and that the purpose is security testing (Truth in Caller ID Act "no intent to defraud" documentation).
  8. Post-engagement credential destruction: All credentials captured during social engineering must be destroyed immediately after demonstration — retaining them beyond the engagement creates constructive CFAA and wire fraud exposure.
  9. Employee HR notice: Confirm whether the client has issued a blanket security testing notice to employees. If not, recommend doing so before the engagement begins.
  10. GLBA/State law representations: Obtain written representations from the client that they have authority to authorize the engagement and that they will indemnify the tester for any third-party claims arising from employee ECPA, TCPA, or state wiretap claims.

Key Statutes Quick Reference

StatuteWhat It CoversMax Penalty
18 U.S.C. § 1343Wire fraud — false pretenses via interstate wires20 years (30 if financial institution)
18 U.S.C. § 912Impersonating a federal officer3 years
18 U.S.C. § 1028Identity document fraud5–15 years
18 U.S.C. § 2511Wiretapping — intercepting wire/oral/electronic communications5 years
15 U.S.C. § 6821GLBA pretexting — obtaining financial records by false pretenses5 years
47 U.S.C. § 227TCPA — unsolicited SMS/robocalls$500–$1,500/message (civil)
47 U.S.C. § 227(e)Truth in Caller ID Act — caller ID spoofing with intent to defraudFCC civil penalties
CA Penal Code § 632All-party consent for recorded confidential communications$2,500/violation + criminal misdemeanor
CA B&P Code § 17200Unfair, unlawful, or fraudulent business practicesInjunctive relief + restitution
18 U.S.C. § 1030(a)(5)CFAA — damage to protected computer via transmission10 years (20 if critical infrastructure)

Next modules: 01y — International Penetration Testing: UK CMA, Germany § 202c, and Extradition Exposure | 01z — SCADA, IoT, Automotive, and Drone Hacking Law

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →