Chapter 25: Social Engineering¶
Overview¶
Social engineering — the art of manipulating people into compromising security — remains the most effective attack vector in the threat landscape. No firewall, endpoint agent, or SIEM rule protects against a well-crafted pretext. Vishing, phishing, smishing, pretexting, and physical intrusion bypass billions in technical controls by targeting the human element. This chapter provides both the offensive perspective (understanding how attacks work) and the defensive perspective (security awareness, phishing simulations, technical controls, and human risk measurement).
Learning Objectives¶
By the end of this chapter, students SHALL be able to:
- Identify and describe all major social engineering attack types with real-world examples
- Explain the psychological principles exploited in social engineering attacks
- Design and execute phishing simulations within a security awareness program
- Implement technical controls that reduce phishing and vishing success rates
- Measure human risk and track improvements over time
- Build an effective security awareness and training program aligned to organizational risk
Prerequisites¶
- Basic understanding of email infrastructure (SMTP, DKIM, SPF, DMARC)
- Familiarity with organizational communication tools (Teams, Slack, email)
- Chapter 7 (Threat Intelligence) for threat-actor-specific social engineering tactics
Why This Matters
According to Verizon DBIR 2024, 68% of breaches involved a human element — through error, privilege misuse, or social engineering. The 2023 MGM Resorts breach — causing $100M in losses — started with a 10-minute phone call to the IT helpdesk. The attacker found the target employee on LinkedIn, spoofed their identity, and convinced helpdesk to reset MFA. No technical control prevented this. Security awareness and process controls are the only defenses against this attack vector.
25.1 Social Engineering Attack Taxonomy¶
graph TD
A[Social Engineering] --> B[Digital]
A --> C[Voice/Phone]
A --> D[Physical]
A --> E[Hybrid]
B --> B1[Phishing\nEmail based]
B --> B2[Spearphishing\nTargeted]
B --> B3[Whaling\nExecutive targeting]
B --> B4[Smishing\nSMS based]
B --> B5[Business Email\nCompromise]
C --> C1[Vishing\nVoice phishing]
C --> C2[IT Helpdesk\nImpersonation]
C --> C3[Deepfake Voice\nCEO fraud]
D --> D1[Tailgating /\nPiggybacking]
D --> D2[Pretexting\nFake identities]
D --> D3[Dumpster Diving]
D --> D4[USB Drop]
E --> E1[Hybrid BEC\nEmail + Phone]
E --> E2[SIM Swapping\nPhone + Portal]
style B2 fill:#e63946,color:#fff
style E1 fill:#e63946,color:#fff25.2 Psychological Principles Exploited¶
Robert Cialdini's principles of influence are the foundation of most social engineering attacks:
| Principle | Definition | Social Engineering Application |
|---|---|---|
| Authority | Compliance with authority figures | "This is the CTO — I need you to wire funds immediately" |
| Urgency/Scarcity | Fear of missing out or negative consequences | "Your account will be locked in 24 hours — click now" |
| Social Proof | Following what others do | "Your colleagues have already approved this change" |
| Liking | Compliance with people we like | Build rapport before making a request |
| Reciprocity | Returning favors | Send small gifts before the ask |
| Commitment/Consistency | Follow through on prior commitments | "You said you'd help the team — this is just one small thing" |
| Familiarity | Trust of known entities | Spoofing Microsoft, IT support, known vendors |
25.3 Phishing Attack Types¶
25.3.1 Standard Phishing¶
Mass campaigns sent to thousands of recipients with generic lures:
Common Lure Types:
├── IT Alert: "Your password expires in 24 hours — click to reset"
├── HR/Payroll: "Review your W-2 / Open enrollment closes Friday"
├── Package Delivery: "UPS delivery failed — update delivery address"
├── Security Alert: "Unusual sign-in detected — verify your account"
├── Document Share: "John Smith shared a file with you in OneDrive"
└── Invoice: "Invoice #8472 attached — payment due"
25.3.2 Spearphishing¶
Targeted attacks using victim-specific research:
# Attacker research process for spearphishing
# 1. LinkedIn: target's role, department, recent activity, connections
# 2. Company website: recent news, projects, leadership
# 3. Social media: interests, travel, conferences attended
# 4. Previous emails (if domain is MX-guessable): email format
# 5. Job postings: internal projects, technologies used
# Sample spearphish targeting a finance director:
"""
From: Jason Chen <jason.chen@corp-acounting.com> ← Typosquat
To: sarah.johnson@targetcorp.com
Subject: Urgent: Q4 Wire Transfer Authorization - CEO Request
Sarah,
I'm reaching out on behalf of David Williams (CEO) who is traveling
and cannot access corporate email at the moment.
He has asked me to coordinate an urgent vendor payment of $847,320
for the Meridian acquisition — this needs to clear today before
the foreign exchange window closes at 4 PM EST.
He says you have authorization and the vendor banking details
are attached (see secure PDF).
Please confirm receipt. David will be available to verify
by phone after 3 PM today.
Jason Chen
Executive Assistant, Finance
"""
25.3.3 Business Email Compromise (BEC)¶
BEC is the most financially damaging form of social engineering — $2.9B in losses (FBI IC3 2023).
BEC Types:
| Type | Method | Average Loss |
|---|---|---|
| CEO Fraud | Impersonate CEO to finance to wire funds | $75,000 |
| Invoice Fraud | Compromise or spoof vendor, change bank details | $50,000 |
| Attorney Impersonation | Legal/merger context to rush fund transfer | $130,000 |
| W-2 Fraud | Impersonate HR to get employee tax records | Tax fraud enabler |
| Gift Card Fraud | "CEO" requests gift cards be purchased | $2,000–$10,000 |
| Real Estate | Divert mortgage closing wire transfers | $100,000+ |
25.3.4 Adversary-in-the-Middle (AiTM) Phishing¶
Modern AiTM phishing defeats MFA by proxying sessions in real-time.
# Evilginx2 — AiTM phishing framework
# 1. Victim navigates to attacker's phishing page
# 2. Evilginx proxies all requests to legitimate site
# 3. Victim completes MFA (legitimate session created)
# 4. Evilginx captures session cookie
# 5. Attacker uses cookie to access account (MFA already completed)
# Platforms targeted: Microsoft 365, Google Workspace, GitHub, AWS console
# Detection:
# Impossible travel: user authenticated from Seattle then Brussels 2 minutes later
# Token reuse from new/suspicious IP
# Suspicious OAuth app consent
# Sign-in from AiTM infrastructure (known C2 IPs in threat intel)
25.4 Vishing (Voice Phishing)¶
25.4.1 IT Helpdesk Attacks¶
The MGM Resorts 2023 attack example:
ATTACK SCRIPT:
[Attacker researches target on LinkedIn]
"John Smith, IT Support Analyst, MGM Resorts"
[Call to MGM IT helpdesk, spoofing John Smith's work number]
Attacker: "Hey, this is John Smith, employee ID 47821. I'm working from
home today and I can't get into my Duo MFA — my phone got
replaced yesterday and I need to get into Okta for an urgent
project that's due in an hour."
[Helpdesk asks for last 4 SSN, date of birth — attacker has from data broker]
Attacker: [Provides correct information]
Helpdesk: "OK, I can temporarily bypass your MFA. Your temp access code
is 847291."
[Attacker now has full access to MGM systems]
PREVENTION:
- Mandatory callback to verified number (not number caller provides)
- Identity verification via in-person or manager approval for MFA resets
- Canary process: flag urgent MFA reset requests for supervisor review
- Zero-trust: no trust by default even for "known" employees
25.4.2 Deepfake Voice and Video¶
2024 Deepfake BEC Attack — Hong Kong:
- Finance employee attended "video call" with fake CFO and executives
- Transferred $25M after seeing "familiar" faces on video
- All participants were AI-generated deepfakes
- Only audio confirmation; no call back to verify
DEFENSES:
- In-person or out-of-band verification for wire transfers above threshold
- Pre-agreed verbal codeword for sensitive communications
- Multi-person approval (4-eyes principle) for large transfers
- Train staff on deepfake technology existence
25.5 Physical Social Engineering¶
25.5.1 Tailgating and Physical Intrusion¶
PHYSICAL ATTACK SCENARIOS:
USB Drop Attack:
- Attacker drops 10 USB drives in target parking lot
- Labels: "Q4 Salary Review 2026.docx" or "Employee Bonus List"
- 45-98% of found USBs are plugged in (Google/University studies)
- USB contains HID attack tool (rubber ducky) or autorun malware
Tailgating:
- Attacker dressed as delivery person / IT contractor
- Follows authorized employee through badge-access door
- Once inside: install hardware keylogger, plant rogue access point,
photograph whiteboards, access unlocked workstations
Visitor Social Engineering:
- Pose as auditor, fire marshal, elevator inspector
- Gain escort access to server rooms and sensitive areas
MITIGATIONS:
- Security awareness training: tailgating is not rude to challenge
- Mantrap (double-door) entry for sensitive areas
- "Challenge culture": all staff empowered to question strangers
- No tailgating policy enforced with cameras + incident reports
- USB ports disabled on workstations (endpoint policy)
25.5.2 Dumpster Diving¶
Valuable Items Found in Dumpsters:
├── Old hard drives (contain data if not wiped)
├── Printed reports (org charts, financial data, client names)
├── Sticky notes with passwords
├── Decommissioned access cards
├── Business cards (employee enumeration)
└── Failed badge printer attempts (shows badge format)
MITIGATIONS:
- Cross-cut shredder for all paper waste (not strip-cut)
- Hard drive destruction certificates for disposed hardware
- Policy: no confidential materials in regular recycling
- Secure destruction vendor with certificate of destruction
25.6 Phishing Simulation Programs¶
25.6.1 Simulation Design Principles¶
An effective phishing simulation program:
- Baseline first — measure current click rate before training
- Graduated difficulty — start easy, increase sophistication over time
- Immediate training — clicking a sim link triggers instant micro-training
- No shame, no punishment — safety culture, not gotcha culture
- Track by department and role — target repeat clickers with additional training
- Rotate templates — users learn to spot specific templates, not patterns
25.6.2 Phishing Metrics Dashboard¶
# Key phishing simulation metrics
metrics = {
"simulation_month": "2026-01",
"emails_sent": 4200,
"open_rate_pct": 42, # Opened the email
"click_rate_pct": 18, # Clicked the link
"cred_submission_pct": 6, # Submitted credentials
"report_rate_pct": 23, # Reported as phishing
"phishing_resilience_score": 74, # (report_rate / (click_rate + report_rate)) * 100
"high_risk_employees": 47, # Clicked + submitted credentials
"departments": {
"Finance": {"click_rate": 8, "report_rate": 45}, # Best
"Operations": {"click_rate": 31, "report_rate": 12}, # Needs work
"IT": {"click_rate": 5, "report_rate": 78} # Strong
},
"training_completions_triggered": 756
}
# Target metrics:
# Click rate < 5% (industry best practice)
# Report rate > 60%
# Credential submission < 1%
25.6.3 Phishing Simulation Platforms¶
| Platform | Type | Key Features |
|---|---|---|
| KnowBe4 | Commercial | Largest template library, risk score by employee |
| Proofpoint Security Awareness | Commercial | Threat-actor templates, AI-driven |
| Cofense PhishMe | Commercial | Real phish reporter integration |
| GoPhish | Open source | Full-featured, self-hosted |
| Lucy Security | Commercial | SCORM content, multilingual |
| Infosec IQ | Commercial | Game-based learning |
25.7 Technical Anti-Phishing Controls¶
25.7.1 Email Authentication¶
# SPF — Sender Policy Framework (who can send email for our domain)
# DNS TXT record:
v=spf1 include:_spf.google.com include:_spf.salesforce.com ip4:203.0.113.0/24 -all
# ^^^^ Hard fail — reject unauthorized senders
# DKIM — DomainKeys Identified Mail (cryptographic signature)
# DNS TXT record (selector._domainkey.example.com):
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...
# DMARC — enforces SPF and DKIM alignment
# DNS TXT record (_dmarc.example.com):
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; pct=100
# Implementation path:
# 1. Deploy SPF (permissive: ~all)
# 2. Deploy DKIM
# 3. Set DMARC p=none (monitoring)
# 4. Review reports — fix legitimate senders
# 5. Escalate to p=quarantine
# 6. Escalate to p=reject
25.7.2 Email Gateway Controls¶
# Microsoft Defender for Office 365 Anti-Phishing Policy
Anti-Phishing Policy Configuration:
Impersonation Protection:
- Protected users: All C-suite + key finance/IT personnel (list maintained)
- Protected domains: All owned domains + key partner domains
- Action on match: Quarantine + alert security team
Spoofing Protection:
- Intra-org spoofing: Enabled
- Anti-spoofing intelligence: Enabled
Advanced Phishing Thresholds:
- Standard → Aggressive (for high-sensitivity org)
Safe Links:
- Time-of-click URL detonation: Enabled for all
- Wrap all URLs: Enabled
Safe Attachments:
- Dynamic delivery: Enabled (deliver message, hold attachment for sandbox)
- Detonation: All file types
25.8 Security Awareness Program Design¶
25.8.1 Program Components¶
graph TB
A[Security Awareness Program] --> B[Baseline Assessment\nPhishing + Knowledge Quiz]
A --> C[Core Training\nAnnual Curriculum]
A --> D[Ongoing Reinforcement\nMonthly micro-trainings]
A --> E[Phishing Simulations\nBi-monthly campaigns]
A --> F[Incident Reporting\nCulture + Easy Channel]
A --> G[Metrics & Reporting\nBoard visibility]
B --> H[Risk Score\nby Employee/Department]
E --> H
H --> I[Targeted Training\nfor High-Risk]
I --> E25.8.2 Training Content Requirements¶
Security awareness training SHALL cover:
| Topic | Frequency | Format |
|---|---|---|
| Phishing recognition | Monthly simulation + quarterly training | Interactive + scenario |
| Password hygiene + MFA | Annual | Video + quiz |
| Physical security | Annual | Scenario-based |
| Data handling classification | Annual | Policy + scenarios |
| Incident reporting | Annual + reminder | Process walkthrough |
| Remote work security | Annual | Practical guide |
| Executive-level BEC | Targeted for executives | Custom scenarios |
| New employee onboarding | Day 1 | Mandatory before system access |
25.9 Benchmark Controls¶
| Control ID | Title | Requirement |
|---|---|---|
| Nexus SecOps-SE-01 | Phishing Simulation | Bi-monthly simulation; click rate target <5% |
| Nexus SecOps-SE-02 | Security Awareness Training | Annual curriculum + monthly reinforcement for all staff |
| Nexus SecOps-SE-03 | Email Authentication | SPF + DKIM + DMARC p=reject for all owned domains |
| Nexus SecOps-SE-04 | Anti-Phishing Gateway | Advanced email filtering with sandbox detonation |
| Nexus SecOps-SE-05 | Helpdesk Verification | Documented identity verification procedure for credential resets |
| Nexus SecOps-SE-06 | BEC Controls | Multi-person approval + out-of-band verification for wire transfers |
Exam Prep & Certifications¶
Relevant Certifications
The topics in this chapter align with the following certifications:
Key Terms¶
AiTM (Adversary-in-the-Middle) Phishing — Phishing that proxies the victim through to the legitimate site in real time, capturing session cookies to bypass MFA.
BEC (Business Email Compromise) — A category of social engineering attack targeting organizations by impersonating executives or vendors to authorize fraudulent wire transfers.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — An email authentication protocol that builds on SPF and DKIM to specify what recipients should do with unauthenticated messages.
Pretexting — Creating a fabricated scenario (pretext) to manipulate a target into providing information or performing an action.
Spearphishing — A targeted phishing attack that uses specific, personalized information about the victim to increase credibility.
Vishing — Voice phishing — social engineering attacks conducted over telephone or VoIP.
Whaling — Phishing attacks specifically targeting senior executives (CEO, CFO, board members).