LLMpediaThe first transparent, open encyclopedia generated by LLMs

Social engineering (security)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Christopher Hadnagy Hop 4
Expansion Funnel Raw 130 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted130
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Social engineering (security)
NameSocial engineering (security)
CaptionCommon forms include phishing, pretexting, and baiting
FieldComputer security, Information security
RelatedCybersecurity, Human factors, Insider threat

Social engineering (security) is the practice of manipulating individuals to disclose information, perform actions, or grant access that compromises the security of systems, organizations, or individuals. It bridges Computer security, Information security, Psychology, and operational tactics used in incidents involving entities such as Yahoo!, Sony Pictures Entertainment, Target Corporation, and Equifax. Social engineering attacks exploit human behavior and institutional practices across sectors including Microsoft, Google, Amazon (company), Twitter, Facebook, Apple Inc., PayPal, and Citigroup.

Overview and Definitions

Social engineering involves deceptive interactions that co-opt trust, authority, curiosity, or urgency to manipulate people affiliated with organizations like IBM, AT&T, Verizon Communications, Siemens, and Siemens AG. Terms commonly used include phishing, spear phishing, whaling, vishing, smishing, pretexting, baiting, and tailgating, which are documented in advisories from institutions such as National Institute of Standards and Technology, Federal Bureau of Investigation, Department of Homeland Security, Europol, and INTERPOL. Definitions intersect with standards from ISO/IEC 27001, NIST Special Publication 800-53, and regulatory frameworks like General Data Protection Regulation and Sarbanes–Oxley Act. Threat actors range from lone operators to groups tied to entities such as Fancy Bear, Lazarus Group, Anonymous (group), and criminal syndicates investigated by FBI and Secret Service.

History and Notable Incidents

Early documented cases trace to confidence schemes studied by figures like Frank Abagnale and events involving Kevin Mitnick. High-profile breaches employing social engineering include compromises at Sony Pictures Entertainment linked to North Korea, the 2016 Democratic National Committee cyber attacks affecting DNC, the Target Corporation data breach tied to HVAC vendor access, and the Equifax data breach resulting from combined technical and human failures. Notorious operations involved operators exposed by investigations at Hacking Team, Cambridge Analytica, and incidents affecting Yahoo! and Adobe Systems. Law enforcement actions include prosecutions by United States Department of Justice, extraditions involving Romania, United Kingdom, and coordination with Europol and INTERPOL.

Techniques and Attack Vectors

Common vectors include email campaigns impersonating institutions like Bank of America, Wells Fargo, JPMorgan Chase, IRS (United States), or PayPal, as well as telephone schemes exploiting trust with references to United Parcel Service, FedEx, or DHL. Attackers use credential harvesting against services run by Microsoft Azure, Amazon Web Services, Google Workspace, and exploit third-party vendors linked to Target Corporation or Home Depot. Physical methods involve access at facilities operated by Boeing, Lockheed Martin, NASA, and Tesla, Inc. via tailgating or pretexting. Social media reconnaissance targets profiles on Facebook, LinkedIn, Twitter, Instagram, and TikTok to craft spear-phishing tied to events like Black Hat (conference), DEF CON, and RSA Conference.

Psychological Principles and Manipulation Tactics

Attackers exploit principles outlined by scholars and institutions such as Robert Cialdini, whose work informs tactics of reciprocity, commitment, social proof, authority, liking, and scarcity. They manipulate trust in figures associated with Harvard University, Stanford University, MIT, Yale University, Princeton University, or professional memberships like ISACA and (ISC)². Tactics leverage cognitive biases identified in studies from University of Cambridge, University of Oxford, Stanford University, and applied in operations linked to Cambridge Analytica and psychological influence in politics exemplified by events like Brexit referendum and the 2016 United States presidential election.

Targets, Vulnerabilities, and Risk Factors

Targets include executives (CEO, CFO) in corporations such as General Electric, ExxonMobil, Chevron Corporation, and public institutions like World Health Organization, United Nations, European Commission, and NATO. Vulnerable populations span employees at Small Business Administration clients, contractors for Department of Defense, healthcare workers at Mayo Clinic and Johns Hopkins Hospital, and customers of Walmart. Risk factors include inadequate training per guidelines from NIST, weak identity verification reminiscent of incidents at Maersk, poor vendor management as seen with Target Corporation, and insufficient incident response planning referenced against NIST Cybersecurity Framework.

Prevention, Detection, and Mitigation Strategies

Mitigations combine technical controls from Microsoft Defender, Google Chronicle, Cisco Systems, and Palo Alto Networks with human-focused measures: security awareness programs used by SANS Institute, SANS Security Awareness, KnowBe4, and corporate training at Deloitte, PwC, KPMG, and Ernst & Young. Practices include multi-factor authentication from providers like Authy and Duo Security, access controls referenced in ISO/IEC 27001, phishing simulations modeled on campaigns described by Verizon Data Breach Investigations Report, and incident response playbooks aligned with NIST Special Publication 800-61. Law enforcement coordination may involve FBI, Secret Service, Europol, and INTERPOL.

Legal frameworks governing social engineering incidents intersect with statutes and regulations such as Computer Fraud and Abuse Act, General Data Protection Regulation, Data Protection Act 2018 (UK), Cybersecurity Information Sharing Act, and enforcement by agencies like Federal Trade Commission and Information Commissioner's Office. Ethical debates engage institutions like Association for Computing Machinery, IEEE, Harvard Kennedy School, and Oxford Internet Institute over acceptable research practices, red-team activities for Microsoft and Google under coordinated disclosure, and issues raised by incidents involving Cambridge Analytica and political campaigns.

Category:Information security