Social Engineering Deep Dive

Social engineering is the art of manipulating people into giving up confidential information or performing actions that compromise security. Unlike technical attacks, social engineering exploits human psychology - trust, authority, urgency, curiosity, and fear - rather than software vulnerabilities. Understanding attack patterns is the first step toward building effective defences.

Attackers exploit cognitive biases and social norms that normally serve us well:

Psychological lever	Normal use	Exploited as
Authority	Respect for legitimate authority figures	Fake executive requesting urgent wire transfer
Urgency	Act quickly in emergencies	”Your account will be deleted in 24 hours”
Social proof	Do what others do	”Your colleagues have already filled this out”
Reciprocity	Return favours	”I helped you last time - can you do this for me?”
Liking	More helpful to people we like	Building rapport before the ask
Scarcity	Act on limited-time opportunities	”This offer expires today - only 3 seats left”
Curiosity	Investigate interesting things	”Here’s the CEO’s salary spreadsheet” (malware)
Fear	Avoid consequences	”IRS has filed a warrant for your arrest”

Attack Taxonomy

Phishing

Mass-sent fraudulent emails impersonating a trusted entity, designed to steal credentials or deliver malware.

Anatomy of a phishing email:
  ┌──────────────────────────────────────────────────────────┐
  │ From:    [email protected]         ← typosquatting     │
  │ Subject: URGENT: Account suspended   ← urgency trigger   │
  │                                                          │
  │ Your PayPal account has been limited due to suspicious   │
  │ activity. You must verify your info within 24 hours      │
  │ or your account will be permanently suspended.           │
  │                                                          │
  │ [Verify My Account]  ← link to malicious.example.com/pp │
  │                                                          │
  │ PayPal Security Team                 ← false authority   │
  └──────────────────────────────────────────────────────────┘

Red flags:
  - Sender domain ≠ claimed organisation
  - Urgent action required
  - Generic greeting ("Dear Customer")
  - Link destination ≠ expected domain
  - Requests sensitive information via email / a form

Spear Phishing

Targeted phishing using personal information gathered about the victim (OSINT):

Generic phishing:          Spear phishing:
"Dear Customer..."         "Hi Alice,

                           I saw your LinkedIn post about the Q4 launch.
                           Per your conversation with Bob from the CFO office,
                           please approve the SaaS billing using the link below.

                           - David, Finance"

Research sources attackers use:

LinkedIn (job roles, org chart, project names, colleagues)
Company website (executive names, press releases, technology stack)
Twitter/X (travel plans, events attended, opinions)
Job postings (“experience with AWS, Salesforce, and PostgreSQL required” - reveals tech stack)
Data breach dumps (personal email, older passwords for password reuse)

Whaling

Spear phishing targeting senior executives (CEO, CFO, CISO). Often involves:

Fake board meeting invitations
Fake legal notices (lawsuit, regulatory inquiry)
Fake M&A documents requiring urgent review

BEC - Business Email Compromise

One of the most financially damaging attack types. The attacker either:

Compromises a real executive’s email account
Spoofs the email address convincingly
Registers a lookalike domain (e.g., example-corp.com instead of examplecorp.com)

Then requests urgent wire transfers, gift cards, or payroll redirections.

Classic BEC flow:
  Attacker compromises or spoofs CEO email
    → Emails CFO: "I need you to wire $250,000 to our new supplier.
                   Don't discuss with anyone - this is confidential
                   until the acquisition is announced."
    → CFO wires money to attacker-controlled account
    → Money is gone within hours (often mule-laundered across countries)

Real-world scale:
  FBI IC3 2023 report: BEC caused $2.9 billion in losses (US alone)

BEC defences:

DMARC/DKIM/SPF to prevent domain spoofing (see below)
Out-of-band verification for wire transfers > $X (phone call to known number)
Mandatory dual approval for large transfers
Train finance staff specifically on BEC patterns

# Check DMARC configuration on your domain
dig TXT _dmarc.example.com
# Should see: v=DMARC1; p=reject; rua=mailto:[email protected]
# p=none = monitoring only (no protection)
# p=quarantine = suspicious mail goes to spam
# p=reject = spoofed mail rejected outright

# Check SPF record
dig TXT example.com | grep "v=spf1"

# Check DKIM selector (replace selector1 with your actual DKIM selector)
dig TXT selector1._domainkey.example.com

Vishing (Voice Phishing)

Phone-based social engineering. Common scenarios:

IT support impersonation: “Hi, this is Mike from IT. We’ve detected a virus on your computer. I need to remote in to clean it.”
Bank fraud call: “We’ve detected suspicious charges. For security, please confirm your card number and PIN.”
IRS/Government scam: “This is the IRS calling about a warrant for your arrest. You must pay immediately.”
Vendor impersonation: “This is your Microsoft account rep. Your subscription is about to be disabled unless you renew now.”

Vishing red flags:
  - Unsolicited call - they called you, not the other way around
  - Urgency ("act now or lose access")
  - Requests for credentials, OTP codes, or remote access
  - Asks you not to verify with anyone else
  - Pushy if you try to delay or call back

Response template:
  "I don't take security actions over the phone. Give me your name
   and call-back number, and I'll call your organisation's main
   switchboard to verify and return your call."

Smishing (SMS Phishing)

SMS messages with malicious links. Common themes:

Fake package delivery notifications (USPS, FedEx)
Fake bank OTP confirmations
“You’ve won a prize - click to claim”
Two-factor authentication-bypass: “Forward us the code we just sent you”

Pretexting

Creating a fabricated scenario (pretext) to establish trust before making the attack request:

Example pretexting scenarios:
  1. "I'm a new employee - I lost my badge, can you let me through the door?"
  2. "I'm from the auditing firm. The CFO said I can access the finance server remotely."
  3. "I'm IT. We're upgrading your email account - I need your current password to migrate your settings."
  4. "Hi, I'm a journalist writing about your company. Can you confirm your office address and primary IT vendor?"

Tailgating / Piggybacking

Gaining physical access to a restricted area by following an authorised person through a secured door, often carrying boxes or appearing to be delivery staff.

Defences:

Mantrap / airlock doors (only one door opens at a time; badge + biometric before second opens)
Visual tailgating detection systems
Security culture: staff must politely challenge anyone who doesn’t badge in
Visitor escort policies: all visitors escorted at all times

Baiting

Leaving malicious devices (USB drives) in places where victims will find and plug them in:

Real-world baiting campaigns:
  - USB drives labelled "Q4 Salary Review" left in company car park
  - USB drives dropped near building entrance
  - Malicious charging cables left at hotel rooms or airports

When plugged in:
  → Executes as keyboard (HID attack): types commands into terminal
  → Auto-executes malware by appearing as a CD-ROM with autorun
  → Installs a RAT while showing a decoy document

Defence: Disable USB storage via Group Policy or MDM
  # Windows GPO: Computer Configuration → Administrative Templates
  #   → System → Removable Storage Access → All Removable Storage classes: Deny all access

  # Linux udev rule to block USB storage:
  echo 'ACTION=="add", SUBSYSTEM=="usb", ATTR{idVendor}!="<approved_vid>", RUN+="/bin/sh -c 'echo 0 > /sys$devpath/authorized'"' > /etc/udev/rules.d/99-usb-block.rules

Running authorised social engineering tests measures your organisation’s resilience and identifies training gaps.

Phishing Simulation

# GoPhish - open source phishing simulation
# (see company-security-culture.mdx for setup)

# Common phishing templates to test:
# - IT password expiry notice
# - HR "update your direct deposit information"
# - CEO survey ("quick team pulse check")
# - Shared document notification (Google Drive, OneDrive)

# Metrics to track:
# - Email open rate (how many opened the email)
# - Click rate (how many clicked the link)
# - Credential submission rate (how many entered credentials)
# - Report rate (how many reported to security team)

# Target success rates after training:
# - Click rate: < 5%
# - Credential submission: < 1%
# - Report rate: > 80%

Vishing Test

Script for authorised vishing tests:

Call flow for IT support impersonation test:
  1. Identify a target using LinkedIn/company directory
  2. Call target: "Hi [Name], this is [Name] from the IT service desk.
     We're seeing some unusual login attempts on your account.
     I need to verify your identity - can you confirm your employee ID
     and I can then ask you to verify by reading me the code we just sent
     you via SMS?"
  3. If target provides info: record (failed test)
  4. If target refuses: record (passed test)
  5. Debrief always - explain what happened; don't shame

Physical Access Test

Authorised tailgating/pretexting tests:

Attempt to follow a real employee through badge-secured doors
Pose as an IT technician needing access to a server room
Leave “baited” USB drives (inert - no actual malware)

Defensive Measures

Technical Controls

# Email authentication (prevent domain spoofing)
# SPF record (TXT record on your domain)
# v=spf1 include:_spf.google.com ~all
# "~all" = softfail; "-all" = reject non-matching mail

# DKIM - cryptographically sign outgoing mail
# Set up via your email provider (Google Workspace, Microsoft 365, etc.)
# They provide a public key to add as a TXT DNS record

# DMARC - policy for what to do when SPF/DKIM fails
# _dmarc.example.com TXT record:
echo "v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; pct=100"
# p=reject: hard reject spoofed mail
# rua: aggregate reports (daily stats)
# ruf: forensic reports (per-failure report)

# Check if incoming mail header shows DMARC pass
# Look for: Authentication-Results: dmarc=pass

Control	What it protects against
SPF	Email sent from unauthorised servers claiming to be your domain
DKIM	Email content tampered after leaving your server
DMARC	Defines what to do when SPF/DKIM fail; enables reporting
Anti-phishing filters	Known-bad URLs, lookalike domains, suspicious attachments
Advanced MFA (WebAuthn/FIDO2)	Credential theft - even correct password + OTP won’t work on a fake site
URL detonation	Sandboxes clicked links before allowing access
Attachment sandboxing	Executes opened attachments in isolated environment

The Key User Habit: Verify Out of Band

The single most effective protection against all social engineering attacks:

Received an unusual request via email/phone/chat?
  → Do NOT use contact info provided IN that message
  → Look up the requestor's contact info independently
     (company directory, official website, ID card)
  → Call them back to verify BEFORE taking any action
  → This one step defeats BEC, vishing, and impersonation attacks