Quiz — Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap

Module: 01x — Social Engineering Legal Limits: Wire Fraud, Impersonation, ECPA, and the Authorization Gap Difficulty: intermediate

Questions

Q1. A pen tester is explicitly authorized to conduct vishing against a client company's employees. The tester extracts employee credentials during calls but does not use them for any further access, immediately handing them to the client. Based on United States v. Czubinski, what is the best characterization of the tester's wire fraud exposure?

• A) Wire fraud is clearly established because false statements were made during the calls.
• B) Wire fraud exposure is low because there was no completed "scheme to defraud" — the tester did not obtain money or property and did not exploit the credentials.
• C) Wire fraud is unavoidable whenever impersonation is used, regardless of authorization.
• D) Wire fraud applies only if the tester crossed state lines during the calls.

Correct answer: B Explanation: In United States v. Czubinski, 106 F.3d 1069 (1st Cir. 1997), the court held that unauthorized snooping without an actionable scheme to obtain money or property does not satisfy § 1343. A vishing tester who captures credentials but does not exploit them further occupies the same space — arguably no completed scheme to defraud, because "money or property" was not obtained for the tester's benefit.

Q2. Under 18 U.S.C. § 912, which scenario constitutes a federal felony regardless of any engagement scope letter?

• A) Impersonating a Cisco IT vendor to gain access to a data center.
• B) Impersonating an FBI agent to access a corporate server room.
• C) Impersonating an IT helpdesk employee in a vishing call.
• D) Impersonating a building maintenance contractor in a tailgating attempt.

Correct answer: B Explanation: 18 U.S.C. § 912 specifically prohibits impersonating a federal officer, agent, or employee with intent to deceive, carrying up to 3 years. No scope letter can authorize it because the statute protects the integrity of federal authority — the target organization cannot waive a federal officer's identity. Impersonating private-sector roles (Cisco vendor, IT helpdesk, maintenance contractor) falls under § 1343 wire fraud territory, not § 912.

Q3. A red team operator in Texas records a vishing call targeting a California-based employee of the client company without disclosing the recording. Which law is violated even though the operator is not physically in California?

• A) 18 U.S.C. § 2511 — federal one-party consent, which the operator satisfies as a call participant.
• B) California Penal Code § 632 — all-party consent for confidential communications, which California courts apply regardless of where the recorder is located.
• C) TCPA — because the call was unsolicited.
• D) CAN-SPAM Act — because the call constitutes a commercial solicitation.

Correct answer: B Explanation: California Penal Code § 632 prohibits recording a confidential communication without the consent of all parties, and California courts have exercised jurisdiction when any party to the call is in California regardless of the recorder's physical location. While federal ECPA § 2511 is satisfied by one-party consent, California and 12 other all-party-consent states impose stricter requirements that extend beyond state borders.

Q4. Under the Gramm-Leach-Bliley Act (15 U.S.C. § 6821), an authorized pen tester calls a bank employee pretending to be an IT vendor and inadvertently obtains customer account numbers during the call. What is the maximum criminal penalty under § 6823?

• A) 1 year imprisonment
• B) 2 years imprisonment
• C) 5 years imprisonment
• D) 10 years imprisonment

Correct answer: C Explanation: GLBA's pretexting provisions (15 U.S.C. § 6821) prohibit obtaining customer financial records through false pretenses, and § 6823 sets the criminal penalty at up to 5 years imprisonment. The statute reaches any person — including authorized pen testers — who uses false pretenses to obtain financial records, and there is no explicit pen test exemption.

Q5. After Facebook v. Duguid, 592 U.S. 395 (2021), which SMS-based social engineering scenario is LEAST likely to trigger TCPA liability under 47 U.S.C. § 227?

• A) Using a mass-SMS tool configured to send to an imported employee directory.
• B) Sending bulk SMiShing messages with an ATDS that uses random number generation.
• C) Sending targeted SMiShing to a specific curated list of named employee numbers using a non-ATDS system.
• D) Using an auto-dialing system to simultaneously blast all extensions in the target company's phone range.

Correct answer: C Explanation: Facebook v. Duguid narrowed the ATDS definition to systems using a random or sequential number generator. A targeted list of specific employee numbers sent via a non-ATDS system may not trigger TCPA. Scenarios involving ATDS-qualifying systems, random dialers, or mass directory imports carry substantially higher TCPA exposure.

Q6. A scope letter explicitly authorizes phishing of company employees. The phishing email delivers a macro payload that executes and establishes a C2 connection on a target workstation. Under CFAA § 1030(e)(8), what is the likely statutory outcome?

• A) No CFAA exposure because the macro was specifically authorized as part of phishing.
• B) Potential CFAA § 1030(a)(5) exposure because establishing a C2 connection causes "impairment to the integrity" of the target system, and scope authorization for "phishing" does not automatically include authorization for "code execution."
• C) Only wire fraud exposure applies because the email was the interstate wire communication.
• D) No exposure because the payload was designed to be benign for pen test purposes.

Correct answer: B Explanation: CFAA § 1030(e)(8) defines "damage" as any impairment to the integrity or availability of data, a program, a system, or information. A C2 beacon that modifies the system's operation causes such impairment even without destroying data. Scope authorization for "phishing" does not necessarily cover "code execution on target systems," and many scope letters are silent on this distinction.

Q7. Under the Truth in Caller ID Act (47 U.S.C. § 227(e)), which documented condition causes the safe harbor for authorized caller ID spoofing to collapse?

• A) The spoofed number belongs to a third party outside the client organization.
• B) The employee who receives the spoofed call is in a different state than the tester.
• C) The spoofed call extracts credentials that the tester then uses in an unauthorized way, or the employee suffers account lockout or data loss as a result, satisfying the "cause harm" prong.
• D) The call is recorded without the employee's consent.

Correct answer: C Explanation: The Truth in Caller ID Act prohibits spoofing "with the intent to defraud, cause harm, or wrongfully obtain anything of value." The strongest safe harbor argument is that the tester had no such intent. However, if the spoofed call results in the employee suffering account lockout or data loss, or if extracted credentials are misused, the "cause harm" prong is satisfied and the safe harbor collapses — regardless of the authorization letter's language.

Q8. In United States v. O'Connor (2023), Joseph O'Connor was convicted of wire fraud and computer fraud arising from SIM swap attacks that enabled the July 2020 Twitter Bitcoin scam. What was the core social engineering vector that triggered § 1343 wire fraud charges?

• A) Hacking into T-Mobile's internal systems using a zero-day exploit.
• B) Social engineering T-Mobile and AT&T customer service representatives via phone calls to reroute victim phone numbers — the calls being interstate wires in furtherance of the fraudulent scheme.
• C) Sending phishing emails to Twitter executives.
• D) Deploying malware that intercepted SMS messages in transit.

Correct answer: B Explanation: O'Connor's SIM swaps were executed by social engineering carrier customer service representatives — no technical hacking required. Wire fraud under § 1343 was charged because the phone calls to carrier customer service were interstate wires in furtherance of the scheme to defraud. O'Connor received a 5-year sentence.

Q9. Regarding the "authorization gap" described in Section 8, which of the following is something a corporation CANNOT authorize a pen tester to do on behalf of its employees?

• A) Send phishing emails to corporate email addresses the company controls.
• B) Attempt to access systems the company owns via socially engineered credentials.
• C) Record personal cell phone conversations of employees without those employees' individual consent.
• D) Conduct vishing against employees on company-owned phone extensions.

Correct answer: C Explanation: A corporation cannot authorize recording personal cell phone conversations of employees without individual consent. Employees' statutory rights under ECPA and state wiretap laws are not waiveable by their employer — those rights belong to the individual employee, not the company. This is the core "human element" authorization gap: the company consents to access of its own systems, but cannot waive individual employee rights to privacy or freedom from deception.

Q10. Under 18 U.S.C. § 1028, creating a fake "FBI credentials" badge formatted to resemble a genuine ID document for use during a physical social engineering engagement carries a maximum penalty of how many years — for a standard violation not involving drug trafficking or terrorism?

• A) 1 year
• B) 3 years
• C) 5 years
• D) 15 years

Correct answer: C Explanation: 18 U.S.C. § 1028 targets production, transfer, or use of false identification documents. For standard violations, the maximum is 5 years imprisonment (rising to 15 years if the fraud facilitates a drug trafficking crime or act of terrorism). A scope letter is a defense argument, not an immunity grant, and prop credentials formatted to resemble genuine ID documents fall within § 1028(a)(2)'s reach.