Social Engineering: The Human Element of Cyber Attacks

The Most Effective Attack Vector

Social engineering bypasses technical controls by exploiting the most complex system: human psychology. It’s involved in 98% of cyber attacks in some form, making it the most successful initial access technique.

Why It Works

┌─────────────────────────────────────────────────────────┐
│         Psychological Principles Exploited              │
├─────────────────────────────────────────────────────────┤
│                                                         │
│  Authority        → "This is IT, we need your password" │
│  Urgency          → "Act now or lose access!"          │
│  Social Proof     → "Everyone else has done this"      │
│  Reciprocity      → "I helped you, now help me"        │
│  Liking           → Build rapport before the ask       │
│  Scarcity         → "Limited time offer"               │
│  Fear             → "Your account has been compromised"│
│                                                         │
└─────────────────────────────────────────────────────────┘

Types of Social Engineering Attacks

1. Phishing

Mass email attacks impersonating trusted entities.

Anatomy of a Phishing Email:

From: security@amaz0n-support.com          ← Lookalike domain
To: victim@company.com
Subject: ⚠️ Urgent: Your Account Has Been Locked  ← Fear + Urgency

Dear Valued Customer,

We've detected suspicious activity on your account.
Your account has been temporarily limited.

Please verify your identity within 24 hours or your    ← Urgency
account will be permanently suspended.

[Verify Now]  ← Links to: http://amaz0n-secure.malicious.com

Amazon Security Team

Red Flags:

• Misspelled or lookalike domains
• Generic greetings
• Urgency and threats
• Mismatched URLs (hover vs. displayed)
• Requests for sensitive information
• Poor grammar (though AI has improved this)

2. Spear Phishing

Targeted phishing using personal information.

Example - CEO Fraud:

From: john.smith@company.co              ← Not company.com
To: sarah.jones@company.com
Subject: Urgent Wire Transfer Needed

Sarah,

I'm in a meeting and can't talk. I need you to
process an urgent wire transfer for a confidential
acquisition. Time-sensitive.

Amount: $147,000
Account: 1234567890
Bank: First National
Routing: 987654321

Don't mention this to anyone else - it's confidential
until the deal closes.

John
CEO

Sent from my iPhone

3. Vishing (Voice Phishing)

Phone-based social engineering.

Common Scenarios:

• Tech support scams
• IRS/tax authority impersonation
• Bank fraud department calls
• IT helpdesk impersonation

Example Script:

Attacker: "Hi, this is Mike from the IT helpdesk.
We're seeing some unusual activity from your
workstation. I need to verify your identity
and run some checks. Can you confirm your
employee ID and what you're currently working on?"

[After building trust]

Attacker: "I need to push a security patch to your
machine. Can you read me the code that appears
on your screen?" [Captures MFA token]

4. Smishing (SMS Phishing)

Text message-based attacks.

Examples:

[Bank of America]
Suspicious activity detected on your account.
Verify now: http://boa-verify.xyz/secure

---

USPS: Your package is waiting. Confirm delivery:
http://usps-delivery.info/track?id=12345

---

Your Netflix account has been suspended.
Update payment: http://netflix-billing.net

5. Pretexting

Creating a fabricated scenario to extract information.

Example - Vendor Impersonation:

Attacker poses as software vendor support:

"Hi, I'm calling from [Software Company] about
your license renewal. I see it's expiring soon.
To process the renewal, I need to verify your
account details and current version.

Could you tell me:
- What version you're running?
- Who manages the servers?
- What's the server IP address?
- Do you have remote access configured?"

6. Baiting

Offering something enticing to deliver malware.

Physical Baiting:

• USB drives left in parking lots
• “Confidential” CDs mailed to employees
• Promotional items with malicious payloads

Digital Baiting:

• Free software downloads
• Pirated content with malware
• “Leaked” documents (password-protected malware)

7. Tailgating / Piggybacking

Physical security bypass by following authorized personnel.

Scenarios:

• “Can you hold the door? My hands are full”
• Wearing delivery uniforms
• Posing as contractors
• Blending with large groups

8. Quid Pro Quo

Offering a service in exchange for information.

Example:

"Hi, I'm from IT conducting a security survey.
If you participate, you'll be entered to win
a $100 gift card. I just need to verify your
login works - what's your password so I can
test the system?"

Real-World Case Studies

Twitter Hack (2020)

Attack Method: Vishing + Internal Tool Compromise

Timeline:

1. Attackers called Twitter employees posing as IT
2. Convinced them to access internal admin tools
3. Reset passwords on high-profile accounts
4. Posted Bitcoin scam from Obama, Musk, Apple accounts

Result: $120,000 stolen, massive reputational damage

Ubiquiti Breach (2020)

Attack Method: BEC (Business Email Compromise)

Timeline:

1. Attacker gained access to employee credentials
2. Impersonated employees to finance department
3. Requested wire transfers to attacker accounts
4. $46.7 million transferred before detection

MGM Resorts (2023)

Attack Method: Help Desk Impersonation

Timeline:

1. Attackers identified employee via LinkedIn
2. Called IT help desk impersonating the employee
3. Convinced help desk to reset MFA
4. Gained access, deployed ransomware

Result: $100+ million in damages, weeks of disruption

Building a Human Firewall

Security Awareness Training

Effective Training Program:
  Frequency:
    - Initial onboarding training
    - Quarterly refresher modules
    - Annual comprehensive assessment

  Methods:
    - Interactive online modules
    - Live simulations
    - Lunch-and-learn sessions
    - Gamification and competitions

  Topics:
    - Phishing identification
    - Password hygiene
    - Physical security
    - Reporting procedures
    - Data handling

  Measurement:
    - Phishing simulation click rates
    - Reporting rates
    - Knowledge assessments
    - Incident correlation

Phishing Simulations

Running Effective Simulations:

## Simulation Best Practices

### Do:
- [ ] Vary difficulty levels
- [ ] Use current threat intelligence
- [ ] Track metrics over time
- [ ] Provide immediate feedback
- [ ] Make reporting easy
- [ ] Reward good behavior

### Don't:
- [ ] Publicly shame clickers
- [ ] Use punitive measures only
- [ ] Run the same simulation repeatedly
- [ ] Forget to inform leadership

Metrics to Track:

Phishing Simulation Metrics
├── Click rate (target: <5%)
├── Report rate (target: >50%)
├── Time to report
├── Repeat clickers
├── Department comparison
└── Trend over time

Technical Controls

Even with training, implement defense-in-depth:

Email Security:
  - DMARC, DKIM, SPF
  - Email filtering/gateway
  - Link protection (URL rewriting)
  - Attachment sandboxing
  - External email warning banners
  - AI-based anomaly detection

Identity Security:
  - MFA on all accounts
  - Conditional access policies
  - Impossible travel detection
  - Privileged access workflows

Endpoint Security:
  - EDR/XDR
  - USB device control
  - Application whitelisting

Verification Procedures

Callback Verification:

## Wire Transfer Verification Policy

1. All wire transfer requests must be verified via callback
2. Use known phone numbers (not from the email)
3. Verify with two authorized personnel
4. Document verification in writing
5. No exceptions for "urgency"

IT Request Verification:

## IT Support Verification

If someone calls claiming to be IT:
1. Ask for their employee ID
2. Hang up and call IT helpdesk directly
3. Never share passwords or MFA codes
4. Never install software at their request
5. Report suspicious calls immediately

Reporting Culture

Making Reporting Easy

• Phish report button in email client
• Dedicated security hotline
• Anonymous reporting option
• Clear escalation procedures

Encouraging Reports

• Thank reporters promptly
• Share anonymized success stories
• Never punish for reporting (even false positives)
• Track and celebrate report rates

Red Flags Quick Reference

Channel	Warning Signs
Email	Sender doesn’t match organization, urgent/threatening language, requests credentials, suspicious links/attachments, generic greeting
Phone	Creates urgency/pressure, requests sensitive info, won’t provide callback number, unusual requests outside normal process
In Person	Unfamiliar person in secure area, no visible badge, asking unusual questions, attempting to tailgate

When in doubt: Stop → Think → Verify → Report

References

• CISA Social Engineering and Phishing
• SANS Security Awareness
• Anti-Phishing Working Group
• The Art of Deception - Kevin Mitnick

---

Technology can be patched. Humans require continuous education. Your people are both your greatest vulnerability and your strongest defense.