A threat actor understands that even if firewalls, encryption, and authentication systems are strong, humans can still be manipulated into giving away information or performing dangerous actions. This manipulation is known as social engineering—often described as _“hacking the human.”_

Instead of attacking the machine directly, the attacker attacks trust, emotions, habits, fear, or curiosity.

                +-------------------+
                | Organization      |
                +-------------------+
                          |
        ---------------------------------------
        |                 |                   |
   Technology         Processes          People
        |                 |                   |
   Firewalls         Policies          Human Vector
   Servers           Procedures        Employees
   Software                            Contractors
                                       Customers
                                             |
                                             v
                                   Social Engineering

The human vector is especially dangerous because people already possess what attackers need:

• Credentials
• Internal knowledge
• Access permissions
• Trust relationships
• Physical access
• Communication channels

This makes humans a bridge into protected systems.

Human Vectors

Before launching many attacks, adversaries first gather information about the target organization. This reconnaissance phase is not limited to scanning networks or analyzing software. Valuable information also exists in conversations, documents, emails, and employee behavior.

An attacker may collect:

• Employee names
• Job titles
• Phone numbers
• Organizational structure
• Vendor relationships
• Internal procedures
• Work schedules

Even small details can later be combined into a convincing attack.

          Reconnaissance
                 |
    --------------------------------
    |                              |
 Technical Information      Human Information
    |                              |
 IP ranges                    Employee names
 Open ports                   Help desk numbers
 Services                      Job roles
 OS versions                   Vendor relations
                                     |
                                     v
                           Better Social Engineering

The goal of social engineering is usually one of two things:

1. Gather intelligence

• Learning how the organization operates
• Discovering weaknesses
• Identifying valuable targets

1. Trigger an action

• Stealing credentials
• Installing malware
• Bypassing physical security
• Gaining remote access

Example Social Engineering Scenarios

Social engineering attacks often appear simple, but they work because they exploit normal human behavior.

Fake Login Program

In one scenario, an attacker creates a fake executable program and tells employees it must be used to fix login problems.

The employee trusts the message, runs the file, and enters their credentials.

 Attacker
    |
    | Sends fake "login fix" tool
    v
 Employee executes file
    |
    | Enters username/password
    v
 Credentials stolen

The technical part of the attack may be very small. The real weapon is deception.

Help Desk Manipulation

Another common target is the help desk.

Attackers know support staff are trained to help users quickly, which can sometimes reduce verification strictness.

The attacker pretends to be a remote employee needing urgent assistance.

Through multiple conversations, the attacker gradually gathers:

• VPN information
• Login procedures
• Remote access numbers
• Password reset assistance

 Attacker impersonates employee
                |
                v
          Help Desk
                |
        Shares information
                |
                v
     Remote access obtained

This demonstrates how attackers build trust step-by-step instead of demanding everything immediately.

Physical Social Engineering

Not all social engineering happens online.

An attacker may trigger confusion physically—for example, activating a fire alarm—and then enter the building unnoticed during evacuation chaos.

Once inside, they may connect monitoring devices or rogue hardware to the network.

 Fire Alarm Triggered
          |
          v
 Building confusion
          |
          v
 Attacker enters unnoticed
          |
          v
 Rogue device installed

This shows how human reactions during emergencies can become security weaknesses.

Impersonation and Pretexting

One of the most powerful social engineering techniques is impersonation.

The attacker pretends to be someone trusted:

• IT support
• A manager
• A vendor
• A customer
• A coworker

The attack works best when identity verification is weak, especially over:

• Phone calls
• Emails
• Messaging apps

        Attacker
            |
 Pretends to be trusted person
            |
            v
        Target User
            |
    Trusts the request
            |
            v
 Gives information/access

Attackers generally use two psychological approaches.

Persuasion and Consensus

The attacker behaves politely and confidently so the request appears normal.

The victim feels refusing would seem rude or suspicious.

Examples:

• “Can you quickly verify this?”
• “Everyone else already completed this.”
• “This is standard procedure.”

The attacker uses:

• Trust
• Familiarity
• Social pressure
• Desire to help

Coercion and Urgency

Instead of friendliness, some attackers create fear or pressure.

They may claim:

• The account will be disabled
• Payroll will fail
• Security incident is occurring
• Immediate action is required

     Urgency/Fear
            |
            v
 Victim stops thinking critically
            |
            v
 Immediate compliance

Urgency is dangerous because it reduces careful verification.

Pretexting

A pretext is the fake story used to support impersonation.

The more detailed and believable the story is, the more successful the attack becomes.

For example:

"Hello, this is Michael from IT.
We are updating VPN certificates today.
Your manager approved the maintenance request."

The attacker combines:

• Real employee names
• Department information
• Internal terminology
• Company procedures

This makes the attack appear legitimate.

 Information Gathering
          |
          v
  Build believable story
          |
          v
     Gain trust
          |
          v
   Successful compromise

This is why organizations must protect even “minor” information such as:

• Employee directories
• Purchase orders
• Phone lists
• Calendars
• Invoices

Small information pieces create stronger attacks.

Phishing

Phishing combines:

• Social engineering
• Spoofing
• Psychological manipulation

The attacker sends messages pretending to come from trusted organizations.

Usually the goal is to:

• Steal credentials
• Deliver malware
• Redirect victims
• Gain financial access

 Fake Trusted Message
           |
           v
      Victim clicks
           |
   -----------------
   |               |
Fake Login      Malware
Page            Installed

Phishing often relies heavily on emotions:

• Fear
• Curiosity
• Excitement
• Urgency
• Financial concern

Examples:

• “Your account is suspended.”
• “Invoice attached.”
• “Urgent security alert.”
• “You won a reward.”

Spoofed Websites

Many phishing attacks redirect users to fake websites designed to look identical to real ones.

The victim believes they are logging into:

• A bank
• Office 365
• Amazon
• PayPal
• Corporate portal

But the credentials are actually sent to the attacker.

 User thinks:
     mybank.com
          |
          v
 Fake website clone
          |
          v
 Credentials captured

Modern phishing kits can perfectly copy:

• Logos
• Fonts
• Layouts
• Colors
• Login forms

This leads directly into brand impersonation later.

Vishing and SMiShing

Phishing evolved beyond email.

Vishing

Vishing uses voice communication.

Attackers may call victims pretending to represent:

• Banks
• IT departments
• Government agencies

 Phone Call
     |
Fake authority
     |
Victim reveals data

Voice attacks are powerful because people naturally trust conversation more than email.

Deepfake voice technology is making this even more dangerous.

SMiShing

SMiShing uses SMS text messages.

Victims may receive:

• Fake delivery notices
• Banking alerts
• Verification requests
• Account warnings

 Fake SMS
    |
 Malicious Link
    |
 Credential theft

Mobile users often react quickly without carefully inspecting links.

Pharming

Unlike phishing, pharming does not rely mainly on tricking the user psychologically.

Instead, it manipulates the system that translates domain names into IP addresses.

 User enters:
    mybank.com
         |
         v
 Corrupted DNS Resolution
         |
         v
 Sent to malicious server

Example:

Expected:
mybank.com -> 2.2.2.2

Attacker changes:
mybank.com -> 6.6.6.6

The victim may believe everything is normal because they typed the correct address.

This makes pharming particularly dangerous.

Typosquatting

Attackers also exploit human typing mistakes.

They register domains that closely resemble legitimate ones.

Examples:

google.com
goggle.com
gooogle.com
goog1e.com

These are called:

• Typosquatting domains
• Lookalike domains
• Doppelganger domains

 User typo
    |
 Visits fake site
    |
 Credentials stolen

Some attackers also abuse trusted cloud domains:

example.onmicrosoft.com

Users may trust the domain because it contains a known provider name.

Business Email Compromise (BEC)

Mass phishing targets many people at once.

Business Email Compromise is different.

BEC attacks are:

• Highly targeted
• Carefully researched
• Personalized

Usually targeting:

• Executives
• Finance departments
• Senior managers

 Reconnaissance
       |
Understand organization
       |
Craft believable request
       |
Target executive/finance
       |
Fraudulent transfer or access

The attacker may impersonate:

• CEO
• Vendor
• Lawyer
• Business partner

Unlike normal phishing, BEC attacks often avoid:

• Obvious malware
• Suspicious links
• Poor grammar

This makes them harder to detect.

Related terms include:

• Spear phishing
• Whaling
• CEO fraud
• Angler phishing

Brand Impersonation and Disinformation

Modern attackers invest significant effort into realism.

Brand impersonation means duplicating:

• Company logos
• Fonts
• Colors
• Website styles
• Writing tone

The goal is to make the fake resource visually identical to the real one.

 Legitimate Brand Appearance
             |
             v
      User Trust
             |
             v
    Successful deception

Attackers may also spread false information online.

Disinformation vs Misinformation

Disinformation

False information spread intentionally to deceive.

Misinformation

False information shared by people who believe it is true.

 Disinformation
      |
 Creates fake story
      |
 Others repeat it
      |
 Misinformation spreads

This can increase credibility for phishing campaigns or fake websites.

Watering Hole Attack

A watering hole attack targets websites frequently visited by employees of a specific organization.

Instead of attacking the company directly, the attacker compromises a third-party site trusted by the employees.

Example:

• Employees regularly order food from a local website
• Attacker compromises that site
• Employee visits site
• Malware infects employee computer

 Employees visit trusted site
               |
               v
      Site compromised
               |
               v
      Malware delivered
               |
               v
 Internal company access

This attack is powerful because users are visiting a site they already trust, making suspicion very low.

Social Engineering Flow

Most social engineering attacks follow a similar lifecycle.

   Reconnaissance
          |
          v
 Gather Information
          |
          v
 Build Trust/Pretext
          |
          v
 Exploit Human Emotion
          |
          v
 Gain Access or Data
          |
          v
 Escalate Attack

The key lesson is that cybersecurity is not only technical.

Even the strongest infrastructure can fail if attackers successfully manipulate people.