Chapter 20 Β· Concepts

Social Engineering β€” Core Concepts

Comparison tables, attack anatomy, and the defense framework for the exam.

Six Principles of Influence β€” The Social Engineering Playbook

AUTHORITY

People obey apparent authority figures. We are conditioned from childhood to comply with executives, law enforcement, IT administrators, doctors, and auditors.

Attack: Impersonate CEO, IT admin, IRS agent, or auditor to issue commands that bypass normal skepticism.

Defense: Verify identity through an independent channel before acting β€” never based on the communication that initiated the request.

URGENCY

Time pressure disables critical thinking. When we believe we must act immediately, we skip verification steps and bypass normal procedures.

Attack: "Wire this today or the acquisition falls through." "Your account will be locked in 30 minutes." Any artificial deadline.

Defense: Any request that requires bypassing normal procedure because of urgency is a red flag β€” pause and verify. Legitimate deadlines have established processes.

SCARCITY

Fear of losing something or missing out creates compliance. The prospect of loss is more motivating than the prospect of gain.

Attack: "Your account will be permanently deleted in 24 hours." "This is the last notice before we refer this to collections."

Defense: Pause and verify through a known, independent contact. Real threats from real organizations have real processes β€” not just an email with a countdown.

SOCIAL PROOF

If others are doing it, it must be correct. Reduces the target's sense that they're doing something unusual or suspicious.

Attack: "All your colleagues in the department have already updated their credentials in the new system β€” you're the only one left." Creates peer pressure to comply.

Defense: Verify claims independently. Call the colleague directly. Check with IT. Claims about what others have done are cheap and unverifiable from the email alone.

FAMILIARITY / LIKING

We trust people we know, people who seem like us, or people who seem to know us. Rapport reduces skepticism dramatically.

Attack: Research the target to build rapport β€” reference their actual manager, a real recent project, a mutual LinkedIn connection. The email feels like it's from an insider.

Defense: Trust verification processes, not feelings. A convincing email still requires out-of-band verification for sensitive requests. Familiarity is easy to fake with OSINT.

INTIMIDATION

Threats create compliance. Fear of consequences overrides skepticism β€” especially when the threatened authority has real power.

Attack: "This is the IRS β€” failure to comply immediately will result in an arrest warrant being issued within the hour." Creates fear that bypasses all rational evaluation.

Defense: Legitimate authorities follow established legal procedures β€” they do not demand immediate compliance via phone or email. Hang up and call the agency's published number.

Social Engineering Attack Comparison

Attack TypeMediumTargetSophisticationPrimary Principle(s)
PhishingEmailMass / anyoneLowUrgency, Authority
Spear PhishingEmailSpecific individualMediumFamiliarity, Authority
WhalingEmailC-suite executivesHighAuthority, Urgency, Secrecy
VishingPhoneHelp desk / employeesMediumAuthority, Urgency
SmishingSMSMobile usersLow–MediumUrgency, Scarcity
BECEmail + PhoneFinance / accountingVery HighAuthority, Urgency, Secrecy
Quid Pro QuoPhoneRandom employeesLowFamiliarity, Reciprocity
TailgatingPhysicalAnyone with badge accessLowFamiliarity, Social courtesy
Watering HoleWebSpecific industry groupHighFamiliarity (trusted site)

BEC Attack Anatomy β€” Step by Step

1
Reconnaissance
Attacker researches the target organization on LinkedIn, company website, social media, and press releases. Identifies key personnel: CFO name, executive assistant name, CEO travel schedule and conference attendance. Confirms the CEO is unreachable by phone on a specific date.
↓ Intelligence gathered β€” pretext constructed
2
Pretext Construction
Craft the scenario: CEO is at a conference (confirmed publicly), an urgent acquisition is closing (context from press releases), the request is confidential (prevents consultation), phone calls are unavailable (explains why callback is not possible). Every element is sourced from open-source intelligence.
↓ Pretext ready β€” delivery prepared
3
Spoofed Communication
Email from a CEO-lookalike address (ceo@company-inc.com instead of ceo@company.com β€” hyphenated variant of the real domain). Tone and writing style matches the CEO's known communications. Email arrives during business hours on the day the CEO is confirmed to be traveling.
↓ Message sent β€” target receives it
4
Execute
Target (executive assistant or CFO) receives the request. Authority (CEO) + Urgency (closes today) + Secrecy (don't tell anyone) creates maximum compliance pressure. The email asks for a wire transfer to an attacker-controlled account. Target's normal verification instincts are suppressed by all three principles simultaneously.
↓ Target complies β€” funds transferred
5
Collect
Funds transferred to attacker-controlled account β€” typically a money mule account that immediately forwards funds internationally. Wire transfers are typically irreversible within hours. By the time the fraud is discovered, the money is gone. Average detection time: the next business day, when the real CEO is contacted about the "acquisition."
BEC Signature: Authority + Urgency + Secrecy Any single financial request that contains all three of these elements β€” impersonating an authority figure, demanding immediate action, and instructing secrecy β€” is the BEC attack pattern. This combination does not appear in legitimate business processes. Real urgent transactions have established procedures. Secrecy from colleagues is a manipulation, not a legitimate business requirement.

Defense Framework Against Social Engineering

LayerControlWhat It Stops
Detect Security awareness training β€” teach employees what attacks look like, which principles they exploit, and what the red flags are Reduces the window of successful deception; employees recognize attack patterns before acting
Verify Out-of-band verification for any sensitive request β€” call a known number from the corporate directory, not any number provided in the suspicious message BEC, vishing, email impersonation β€” any attack that relies on the target trusting the communication channel
Slow Down Policy: urgency in a request triggers mandatory verification, not faster compliance. Large transfers require dual authorization from separate people in separate channels BEC, pretexting β€” attacks that use urgency to bypass verification steps
Report Clear, blame-free reporting procedure for suspected attacks. One-click reporting for suspicious emails. Recognition for employees who correctly identify and report social engineering attempts Reduces dwell time; converts near-misses into intelligence; prevents shame from suppressing reports
Physical Controls Mantraps (security vestibules), badge challenge policy, visitor escort requirements, privacy screen filters, shredding policy Tailgating, shoulder surfing, dumpster diving, physical impersonation
Technical Controls DMARC enforcement on email domain, external email banners, display-name-vs-domain mismatch alerts, MFA on all financial systems Domain spoofing (reduces BEC from spoofed domains), credential theft (MFA limits damage even when credentials are compromised)