Social Engineering
Manipulating people through psychological deception to perform actions or reveal information that compromises security. Exploits human trust, authority bias, urgency response, and social norms rather than technical vulnerabilities. The human is both the attack surface and the exploit.
Pretexting
Creating a fabricated scenario (the pretext) to gain a target's trust. The attacker invents a plausible context β posing as IT support, an auditor, a vendor, or an executive β to justify their request. All BEC attacks involve pretexting. The more believable the pretext, the higher the success rate.
Impersonation
Posing as a trusted individual or authority figure β physically, by phone, or digitally. Can involve wearing uniforms or costumes, spoofing caller ID, or compromising legitimate accounts. Effective because targets verify identity through superficial cues (appearance, email format, caller ID) rather than through independent verification.
Tailgating (Piggybacking)
Gaining unauthorized physical access by following an authorized person through a secured door. Exploits social courtesy β people naturally hold doors for others and do not challenge confident-looking individuals. Defense: mantrap installations, strict badge challenge policy, security culture where every uncredentialed person is questioned.
Shoulder Surfing
Observing a target's screen, keyboard, or documents to capture sensitive information β passwords, PINs, confidential data. Common in public spaces: airports, coffee shops, open-plan offices, public transit. Defense: screen privacy filters, positional awareness, locking screens when leaving the desk.
Dumpster Diving
Searching through discarded materials to find useful information β org charts, sticky-note passwords, financial documents, network diagrams, old access badges. Provides reconnaissance data for social engineering and targeted phishing. Defense: shredding all sensitive documents before disposal, clean desk policy, locked waste disposal.
Vishing
Voice phishing. Phone calls impersonating legitimate organizations (IT help desk, IRS, bank fraud department) to extract information or credentials. Caller ID spoofing makes the originating number appear legitimate. Defense: callback verification β hang up and call the institution back at a known number from an independent source. Never provide credentials based on an incoming call.
Smishing
SMS phishing. Text messages containing malicious links or urgent requests impersonating banks, package carriers, or government agencies. Short URL masking hides the true destination. The mobile context and abbreviated format reduce scrutiny. Often triggers credential harvesting pages or malware downloads.
Whaling
Spear phishing targeting C-suite executives or senior leadership (CEO, CFO, CTO, board members). Higher research investment justified by higher target value β executives can authorize wire transfers, access the most sensitive systems, and sign contracts. Often the first stage of a Business Email Compromise attack.
Spear Phishing
Targeted phishing using personal information about the victim to increase credibility. References the victim's name, employer, role, colleagues, manager, or recent activities β unlike generic mass phishing. Much higher success rates because the email appears to come from someone who knows the target. The #1 initial access vector for advanced persistent threat (APT) campaigns.
Business Email Compromise (BEC)
Impersonating executives or trusted business contacts to authorize fraudulent financial transactions. Typically: attacker impersonates CEO, targets CFO or accounting staff, creates urgency around a wire transfer. Annual losses exceed $2 billion globally. Hallmarks: Authority + Urgency + Secrecy in a single request. Combines pretexting, impersonation, and psychological manipulation.
Quid Pro Quo
Offering a service, help, or benefit in exchange for information or access. Classic example: fake IT support calls offering to fix a nonexistent computer problem in exchange for login credentials. The target receives apparent value (help) and provides access in return. Exploits the reciprocity principle β we feel obligated to give something back when we receive help.
Watering Hole Attack
Compromising a website frequently visited by the target group, then waiting for them to visit. The attacker infects the destination instead of sending malicious content to the target. No suspicious email is sent β the attack occurs entirely at the website layer. Bypasses email filters completely. Named after the predator strategy of waiting at the water source for prey.
Authority (Social Engineering Principle)
People comply with requests from apparent authority figures β executives, IT administrators, law enforcement, government agencies. Attackers impersonate authority to bypass critical thinking. The more convincingly authority is projected, the more likely the target will comply without verifying. Defense: verify identity through an independent channel before acting on any authority-based request.
Urgency (Social Engineering Principle)
Artificial time pressure that prevents the target from thinking critically or following verification procedures. "This needs to happen in the next 30 minutes or the deal falls through." Urgency is the attacker's most reliable tool β it disables the verification instinct. Security principle: any request that requires bypassing normal security procedures because of urgency should trigger MORE scrutiny, not less.
Security Awareness Training
Organized education programs teaching employees to recognize and respond to social engineering attempts. Includes simulated phishing campaigns, scenario-based training, and clear reporting procedures. Most effective when combined with process controls (dual authorization, callback verification). A blame-free reporting culture is essential β unreported incidents are far more dangerous than reported ones.