Social Engineering

Explain Defining Social Engineering.

Explain The Psychology of Social Engineering: Cialdini's Principles of Influence.

Explain . Reciprocity.

Explain . Commitment and Consistency.

Social engineering in a security context refers to any technique that uses psychological manipulation — rather than technical exploitation — to gain unauthorized access to…

The social engineer's targets are people, not machines.

Their tools are trust, deception, urgency, and authority.

Social engineering in a security context refers to any technique that uses psychological manipulation — rather than technical exploitation — to gain unauthorized access to…

The social engineer's targets are people, not machines.

Their tools are trust, deception, urgency, and authority.

Social engineer Kevin Mitnick, one of the most famous hackers in history, spent years evading law enforcement not primarily through technical wizardry but through his ability to…

Psychologist Robert Cialdini's landmark 1984 book Influence: The Psychology of Persuasion identified six principles of influence that explain why people comply with requests.

Social engineers deliberately exploit all six.

The Psychology of Social Engineering: Cialdini's Principles of Influence connects to risk, controls, and evidence.

People feel obligated to return favors.

If an attacker performs a small kindness — helps you with a task, provides useful information — you feel a subconscious debt.

That debt makes you more likely to comply with a subsequent request, even if it is inappropriate or security-violating.

Once a person commits to a position or action, they are strongly motivated to remain consistent with that commitment.

Attackers exploit this by first obtaining small, innocuous commitments and then escalating.

If a target agrees that "of course I want to keep our systems secure," they become more susceptible to a subsequent request framed as being in service of that stated commitment.

People look to the behavior of others when uncertain about how to act.

"Everyone else is doing it" is a powerful driver.

Attackers invoke social proof by claiming other employees have already complied with a request, creating the impression that resistance is abnormal.

People comply with requests from those they perceive as authorities.

Attackers impersonate executives, IT staff, law enforcement, or government officials.

The mere perception of authority — conveyed through a confident voice, technical jargon, or an official-sounding title — can be enough to override a target's skepticism.

People are more likely to comply with requests from those they like.

Attackers invest time in building rapport, mirroring behavior, expressing shared interests, and flattering targets.

Online research (via social media) enables attackers to identify interests, mutual connections, and personal details that help them appear relatable and trustworthy.

People place higher value on things that are scarce and respond urgently to the prospect of missing out.

Creating artificial urgency ("I need this done in the next 10 minutes or the system will go down") bypasses deliberate thinking and pushes targets toward compliance without…

These principles are not separately deployed — skilled social engineers weave them together in real time, adapting based on the target's responses.

Phishing is the most prevalent form of social engineering attack.

The attacker sends fraudulent emails designed to appear as legitimate communications from trusted sources — banks, technology companies, government agencies, or the target's own…

Phishing operates at scale — the same message is sent to thousands or millions of recipients, with the attacker needing only a small percentage to succeed.

Spear phishing is a targeted variant of phishing in which the attacker customizes the message for a specific individual or organization.

Using information gathered from social media, corporate websites, press releases, or prior reconnaissance, the attacker crafts a message that is highly credible to the specific…

A spear phish to a corporate finance employee might reference a real upcoming event, invoke a real executive's name, and use the correct internal terminology — making it far more…

Spear phishing is significantly more effective than broad phishing: industry data suggests spear phishing open rates and click rates are substantially higher than generic phishing.

Whaling is spear phishing directed at senior executives — the "big fish" in an organization.

These attacks are particularly high-value because executives often have access to financial systems, strategic information, and can authorize large transfers or data disclosures.

Whaling attacks frequently masquerade as legal documents, regulatory notices, or urgent communications from the board of directors.

Vishing uses phone calls to manipulate targets.

Attackers impersonate bank fraud departments, technical support personnel, government agencies (such as the IRS), or internal IT staff.

Voice conveys confidence, urgency, and human connection in ways that email cannot, making vishing sometimes more effective at bypassing skepticism.

Caller ID spoofing technology makes it trivially easy to make a call appear to originate from any number, including legitimate organizational phone numbers.

Smishing uses text messages (SMS) to deliver phishing messages.

Targets receive texts appearing to be from their bank, a package delivery service, or a government agency, often with a link to a malicious site optimized for mobile display.

The relative novelty of SMS-based attacks — many users have not been specifically warned about them — and the typically less scrutinized nature of text messages contribute to…

Pretexting involves creating a fabricated scenario (a "pretext") to extract information from a target.

The attacker invents an identity and backstory — a new IT employee, an auditor, a vendor representative, a journalist — and uses this false identity to gain trust and elicit…

Unlike phishing, pretexting is typically an interactive, real-time engagement.

The attacker maintains the pretext throughout the conversation, adapting to questions and objections.

Baiting lures targets with the promise of something desirable.

The classic example is the USB drop attack: USB drives loaded with malware are intentionally left in parking lots, restrooms, or common areas, labeled with enticing labels…

A curious or opportunistic employee picks up the drive and plugs it into a work computer, triggering malware installation.

A 2016 experiment by researchers at the University of Illinois found that of nearly 300 USB drives dropped around a university campus, 45–98% (depending on labeling) were picked…

Quid pro quo (Latin: "something for something") attacks offer a service in exchange for information.

A common form involves an attacker calling employees and offering free IT support or a software upgrade.

In exchange for this "help," the attacker requests credentials or remote access to the system.

The helpfulness and reciprocity dynamic make targets more likely to comply.

A watering hole attack compromises a website known to be frequented by members of a specific target organization or industry.

Rather than attacking the target directly (which may have strong defenses), the attacker compromises a third-party site the target regularly visits — an industry forum, a news…

The technique exploits the implicit trust users place in familiar websites.

Business Email Compromise is a sophisticated attack in which attackers compromise or impersonate corporate email accounts to conduct financial fraud.

A typical BEC attack involves an attacker impersonating an executive (often the CEO or CFO) and instructing a finance employee to make an urgent wire transfer to an account…

Alternatively, attackers may compromise a vendor's email account and redirect legitimate invoices to fraudulent banking details.

The FBI has consistently identified BEC as the highest-grossing form of cybercrime, with global losses measured in billions of dollars annually.

A rapidly emerging threat involves the use of AI-generated synthetic media — deepfake audio and video — to impersonate individuals in social engineering attacks.

In documented cases, attackers have used AI-generated voice clones of executives to authorize fraudulent wire transfers over the phone.

In 2020, a criminal group reportedly used deepfake audio to impersonate a bank director's voice and convince a bank manager to transfer $35 million.

As the technology becomes more accessible and realistic, this attack vector is expected to grow significantly.

Recognizing social engineering in real time is difficult because these attacks are designed to exploit cognition rather than trigger logical analysis.

Nevertheless, there are warning signs that should prompt heightened scrutiny: - Unexpected urgency or pressure: Legitimate organizations do not typically demand immediate action…

- Requests for sensitive information: No legitimate IT department will ask for a password; no legitimate bank representative needs your full card number if they initiated the call.

- Unusual communication channels: An executive requesting a wire transfer via personal Gmail rather than corporate email is suspicious.

Defining Social Engineering

The Psychology of Social Engineering: Cialdini's Principles of Influence

. Reciprocity

. Commitment and Consistency

Where Defining Social Engineering applies.

Where The Psychology of Social Engineering: Cialdini's Principles of Influence applies.

How the difference changes the security decision.

Identify the asset or process at risk.

Choose a preventive, detective, or corrective control.

Explain what evidence would prove the control is working.

Define one core concept in plain language.

Compare two controls or threats from the week.

Apply one idea to a campus or business system.

Evaluate why a solution might fail in practice.

Collect evidence, not just screenshots.

Explain what the artifact proves.

Connect the proof back to risk and control selection.

Social Engineering

Security is a decision process, not just a tool list.

Use the reading to justify practical choices.