Chapter 25 Β· Glossary

Other Social Attacks β€” Glossary

16 key terms for the full social engineering spectrum.

Spam
Unsolicited bulk electronic messages, typically email, used for advertising, phishing, or malware distribution. Spam succeeds not through sophistication but through volume β€” even a fraction of a percent response rate across millions of messages produces thousands of compromises. Email filtering and spam gateways are the primary technical defense.
SPIM (Spam over Instant Messaging)
Unsolicited bulk messages sent via instant messaging platforms β€” Teams, Slack, SMS, social media DMs. Employees often have lower security vigilance on IM platforms than email, and messages from known contacts via compromised accounts are trusted automatically. IM platforms have less mature filtering than email. MFA on all collaboration platforms is essential.
Hoax
A false alert or warning designed to cause recipients to take harmful actions β€” disabling security tools, forwarding sensitive files, or spreading the message further. Unlike disinformation campaigns, hoaxes are frequently spread by victims who believe the message β€” their good intentions become the attack vector. Can cause real organizational harm through panic-driven actions.
Disinformation
False information deliberately created and spread with intent to deceive. The creator knows the information is false. Distinguishable from misinformation by intent β€” disinformation involves an adversary who is deliberately deceiving. Used in influence operations, brand attacks, market manipulation. Examples: fabricated product safety claims, fake financial reports, false executive resignation announcements.
Misinformation
False information spread without malicious intent β€” the person sharing it believes it to be true. Distinct from disinformation in intent, but equally harmful in effect. Hoaxes often spread as misinformation after the initial malicious seeding: someone forwards a fake emergency warning believing they are being helpful. The spreading population may be entirely innocent even when the original creation was malicious.
Malinformation
Factually true information spread with malicious intent to cause harm. Examples: leaking an executive's private communications out of context; publishing accurate but private personal information to damage reputation; releasing legitimate internal documents timed to cause maximum harm. Truth is not a defense for the intent to harm. Distinguished from both disinformation (false content) and misinformation (spread without malicious intent).
Influence Operation
Coordinated use of disinformation, fake accounts, bots, and fabricated content to manipulate public opinion or organizational decisions. Associated primarily with nation-state actors but used by criminal organizations for market manipulation and by competitors for brand damage. Characteristics: coordinated fake-account creation, fabricated evidence, seeding to real media, coordinated amplification. Any organization with brand value or public presence is a potential target.
Elicitation
The skillful extraction of sensitive information through seemingly innocent or normal conversation. Intelligence agencies and competitive intelligence firms use it systematically. Techniques include flattery, feigned ignorance, deliberate false statements (target corrects with accurate info), provocative questions, and bracketing (give a plausible-but-wrong estimate). No deception or false identity required β€” the target volunteers information willingly. Defense: training on information classification in conversational contexts, need-to-know culture.
USB Drop Attack
Leaving USB drives in locations where targets will find and plug them in β€” parking lots, lobbies, break rooms, conference rooms. Labels exploit psychological triggers: "Salary Review," "Confidential," "Executive Compensation." Drives may contain malware, auto-execute scripts, or HID attack devices. Bypasses all network perimeter security. The label is specifically the weapon β€” crafted to maximize the urge to plug in.
HID (Human Interface Device) Attack
Attack using a device β€” USB drive, cable, mouse β€” that masquerades as a keyboard or mouse (HID) and injects keystrokes to execute commands. The OS trusts it immediately as a keyboard; no elevated privileges required. The device types malicious commands at 1,000+ characters per second β€” opening PowerShell, downloading payloads, creating accounts β€” before any human can react. Cannot be detected by AV because no malicious file is scanned; only "keyboard input" is executed.
Rubber Ducky (Hak5)
A USB HID attack device that appears as a flash drive but acts as a pre-programmed keyboard, injecting keystrokes at high speed. The attacker writes a "DuckyScript" payload in advance β€” a sequence of keystrokes that opens a terminal, runs commands, downloads malware, and covers tracks. First-generation device that established the HID attack category. Completely indistinguishable visually from a legitimate USB drive.
O.MG Cable
A USB charging or data cable containing a hidden microcontroller embedded in the connector housing. When plugged in "just to charge," it can act as a HID keyboard or provide remote WiFi-connected access for command execution. Physically indistinguishable from a legitimate Apple or USB-C cable. Can be triggered remotely at any time after connection. Represents the evolution of HID attacks into everyday accessories.
Invoice Fraud / Vendor Fraud
Impersonating a vendor to redirect payments to attacker-controlled accounts, typically via fake "banking detail change" notifications. Often involves monitoring legitimate invoice email threads, then inserting a convincing fake invoice with substituted payment details. Also called accounts payable fraud or a BEC variant. The single most effective defense: callback verification to the vendor's known phone number (from original contract, not the invoice) before processing any changed payment details.
OSINT (Open Source Intelligence)
Intelligence gathered from publicly available sources used to profile targets before attacks. Sources: LinkedIn (roles, colleagues, skills, projects), company websites (org charts, contacts), social media (personal details, travel, relationships), public records (addresses, filings), conference talks (technical projects, partnerships, challenges), press releases, job postings. The foundation of most social engineering reconnaissance. Employees should understand that their public information directly enables targeted attacks.
Brand Impersonation
Creating fake websites, social media accounts, domains (typosquatting), or communications that mimic a legitimate organization's identity. Used for customer fraud (fake customer service accounts), credential harvesting (fake login pages at convincing near-miss domains), and disinformation (fake press releases appearing to come from the organization). Defense: brand monitoring services, DMARC email authentication, proactive trademark enforcement on lookalike domains.
Security Culture
The collective attitudes, behaviors, and norms within an organization that influence security-related decisions and actions. A strong security culture means employees think critically about unusual requests, report suspicious activity without fear, and verify before acting β€” even under social pressure or apparent urgency. Building it requires: leadership commitment, normalized reporting, celebrated verification behavior, and treating reported incidents as learning opportunities rather than failures. The most durable defense against social engineering.