Social Attack Taxonomy
Different social engineering attacks target different people, operate through different channels, and require different defenses. Understanding this matrix helps assign the right controls to the right attack type.
| Attack | Category | Primary Target | Key Defense |
|---|---|---|---|
| Spam | Unsolicited bulk | Email system / any user | Spam filters, email authentication (SPF, DKIM, DMARC) |
| SPIM | Unsolicited bulk | IM platform users (Teams, Slack) | Platform security controls, MFA, user awareness |
| Hoax | Manipulation | Security behavior / all staff | User education, established official communication channels, IT verification before acting |
| Disinformation | Influence | Public trust, markets, customers | Brand monitoring, crisis communications plan, source verification |
| Elicitation | Intelligence gathering | Employees with specific knowledge | Need-to-know training, information classification awareness, conference briefings |
| USB drop | Physical access | Any employee with physical workstation access | Disable USB ports, device control software, awareness training |
| HID attack | Physical access | Any USB port | USB data blockers, HID device policy, physical USB blockers |
| Invoice fraud | Financial deception | Finance / accounts payable staff | Out-of-band callback verification, dual approval for payment changes |
| Influence ops | Coordinated deception | Organization reputation, markets, staff | Brand monitoring, rapid response, platform reporting, legal action |
The Elicitation Technique Toolkit
Elicitation practitioners use a set of well-documented conversational techniques to draw out sensitive information without triggering suspicion. Recognizing these patterns is the first step in defending against them.
Flattery
"You clearly know more about this than anyone β what's your take on [sensitive topic]?"
Making the target feel like the recognized expert in the room. Exploits the natural desire to demonstrate competence and share knowledge when someone acknowledges your expertise. The target talks more and more freely to live up to the flattery.
Feigned Ignorance
"I'm still learning about this area β how does your [system / process / approach] actually work?"
Positioning as a novice to invite explanation. Exploits the human instinct to be helpful and teach. The target explains concepts in detail that they would never summarize in a formal context. People explain more clearly to someone who "doesn't understand."
Deliberate False Statement
"I heard your company is migrating to AWS next year."
State something plausibly wrong. If the target corrects you β "Actually, we went with Azure" β they have just provided the accurate answer. People feel compelled to correct factual errors, especially about their own organization. The correction contains the real information.
Provocative Question
"Isn't it true that [company's security practice] is actually quite weak compared to industry standards?"
Challenge the target's professional pride or their organization's reputation. The target defends their organization by explaining what they actually do β revealing processes, investments, and capabilities that confirm or deny the provocation. Defense = disclosure.
Bracketing
"I'd estimate you have about 500 servers in that environment β is that about right?"
Offer a plausible but deliberately incorrect estimate. The target corrects with the real number: "No, we have closer to 1,200." The correction has revealed the actual figure. Works on quantities, timelines, team sizes, budget ranges β any numeric information.
Volunteering Information
"We had a similar vulnerability last year β it was a nightmare to patch."
Offer a false or exaggerated detail about yourself or your organization, hoping the target will reciprocate with real information about theirs. Exploits conversational reciprocity β sharing invites sharing. The practitioner's "vulnerability" is fabricated; the target's disclosure is real.
USB Drop Defense Layers
USB drop attacks have multiple variants requiring multiple defense layers. A single control is insufficient.
Use Windows Group Policy to disable USB storage device installation. Prevents standard malware-drop USB drives from mounting as storage. Does not prevent HID attacks (keyboard devices are not storage).
Endpoint management tools (e.g., DriveLock, Ivanti) allowlist only known, authorized USB devices by serial number. Unknown devices are blocked entirely, including unknown HID devices. More granular than Group Policy alone.
"USB condoms" β pass-through adapters that block data pins while allowing power delivery. Charging-only use case is protected from HID attacks because data pins are physically severed. Required at public charging stations and shared workstations.
Employees should not plug in any found or gifted USB device under any circumstances β not into work machines, not into personal machines, not into air-gapped machines. The label is the weapon. Training must explicitly address the psychological triggers (curiosity, helpfulness) that USB drop labels exploit.
If an endpoint is compromised via USB, network segmentation limits the blast radius. A compromised workstation that cannot directly reach financial systems, authentication servers, or production databases requires additional lateral movement steps β providing detection opportunities and limiting damage.
Disinformation Response Framework
When false information about your organization begins spreading, time is critical. Each hour of unchecked spread increases the credibility of the false narrative. This framework defines the response sequence.
1. Monitor
Brand monitoring services alert within minutes of coordinated mention spikes, impersonation accounts, or abnormal posting patterns. Do not rely on employees or customers to tell you β by the time they do, the narrative has spread. Set up alerts for company name, executive names, product names, and common misspelling variants.
2. Assess
Is this spreading? What is the source β organic user complaint or coordinated campaign? Are there bot-like account characteristics (new accounts, identical posting patterns, purchased followers)? Quantify reach and rate of spread. Determine whether this is disinformation (deliberate adversary), misinformation (spread by believers), or a legitimate complaint that requires a different response.
3. Respond
Issue a clear, factual, measured correction through official verified channels β company website, verified social media accounts. Do not be defensive or dismissive. Link to verifiable evidence where possible. Every hour of silence is perceived as confirmation. Speed matters more than perfection in the early window.
4. Contact Platforms
Report coordinated fake account networks to platform trust-and-safety teams with evidence: account creation timestamps, naming patterns, synchronized posting behavior, fabricated content. Platforms can remove coordinated inauthentic behavior at scale once reported with documented evidence.
5. Document
Preserve all evidence: screenshots, account identifiers, post timestamps, spreading patterns, financial or operational impact data. Documentation supports legal action, regulatory reporting, and insurance claims. If the stock price was materially affected, legal counsel should assess SEC disclosure obligations.
6. Brief Executives
Prepare executives for media inquiries before they receive calls. Agree on messaging. Identify the approved spokesperson. Ensure executives do not make off-the-cuff statements that contradict the official position. A single inconsistent statement from an executive can undermine a carefully managed response.