Social engineering, SE
User manipulation is a simple way for an attacker to gather information about a target organisation and influence it. Human weaknesses exist in all organisations, and anyone can become a victim when an attack is crafted skilfully and convincingly enough. “Weaknesses” exploited in such social engineering attacks include, for example, cooperativeness, helpfulness, and a tendency to trust others. In addition, people may seek excitement or be fearful. There are also other factors that influence the success of an attack, such as the organisation’s overall operating framework and information security policy, including any shortcomings.
User manipulation, social engineering, SE
is influencing a target person in such a way that a goal is achieved, for example gathering information, gaining access to a system, an asset, or a physical space. The aim is therefore to direct the target’s actions in the way desired by the attacker. In this section, the abbreviation SE = social engineering is used.
There is no precise definition for SE; rather, the concept of SE encompasses a variety of different techniques and attacks that share common features. An SE attack may use only one method or consist of several. An attack may include multiple stages using different techniques. It may also be long-lasting, with its different phases carried out far apart in time. This longevity makes attacks harder to detect, and when it is finally understood what has happened, investigation can be difficult.
Stages of an attack and methods
SE attacks are often divided into four stages, which may overlap. If necessary, it is also possible to return to a previous stage.
- Information is gathered, enabling progress to the next stage. Information gathering often continues there.
- A relationship is created with the victim and trust is built.
- Trust is exploited, meaning the victim is persuaded to do something they should not do.
- The obtained information or access is exploited. This may only be an intermediate stage, from which the attack continues deeper via earlier stages or sideways to another victim.
There are many channels for information gathering. Publicly available materials are a good starting point: for example, company annual reports, newspaper articles, websites, and social media. In addition, attackers may rummage through bins, steal, eavesdrop, look over shoulders, use phishing messages, and so on.
There are likewise many ways to build trust, and it may take a long time. Interaction can of course begin in ways that appear normal, but at some point stories and lies are used to mislead the victim or cause a misinterpretation of the situation: help is offered or requested, a role is assumed, a false identity or authority badge is presented, the impression of being part of the inner circle is created, or reference is made to familiar people or one’s own authority. If there appears to be sufficient trust, the same methods are used to go further, persuading the victim to comply with an unusual request, even if it is against rules or instructions.
In the same attack, multiple methods may be used for the same objectives with different emphases.
Different SE attacks
Here, some named attacks are described, complementing and partly repeating what has been said above.
- Pretexting
Pretexting involves the use of pretexts, that is, excuses and fabricated stories, as an attack or part of one. Its aim is often to gather information, but it can also be used to manipulate the target’s behaviour. The attacker seeks to build trust between themselves and the target and usually has a credible story, reinforced, for example, by urgency and by invoking fear of consequences.
For example, the attacker knows the phone number of person A but needs the number of B in the same organisation. They call A, pretend to have dialled the wrong number, and ask for B’s number. If necessary, they use a suitable story if A hesitates to provide the number.
The attacker often appeals to authority, as a result of which the victim can be persuaded to do something; for example, by pretending to be IT help desk staff, the attacker may get the victim to reveal their username and change their password to one dictated by the attacker.
- Baiting
- The attacker uses various incentives to obtain information from the target. For example, the attacker may promise a reward in exchange for login credentials. The attacker may also exploit the target’s curiosity, for example by leaving a malware-infected USB drive accessible to the target. The attacker may name a file or other medium containing malware in an appealing way, for example “Confidential”.
- Tailgating
- The attacker’s objective is to gain access to a restricted or prohibited area. They may pretend to be a courier or another temporary employee. For example, they may wait by a door carrying a stack of parcels and ask an employee leaving the building to hold the door open.
- Waterholing
The attacker first identifies a website likely to interest the target. They then plant, for example, malware on the site or exploit some other vulnerability on the site. The attacker waits for the target to visit the site and become infected. The attack is difficult to detect and difficult to defend against, as the attacker may have no direct contact with the target. The attack also exploits the target’s normal routines.
For example, in 2013 a Java vulnerability was exploited to infiltrate the corporate networks of Apple and Facebook. The attackers injected malware (iPhoneDevSDK) into a popular iOS developer forum where employees of these companies participated in discussions. The malware exploited a vulnerability in the Java web plugin, and through this the devices used to visit the forum were infected. When the same devices were later connected to the corporate network, the attackers gained access there as well. In this case, Apple and Facebook did not suffer major damage, but from Twitter, usernames, email addresses, and encrypted passwords were stolen. (The attack gets its name from a waterhole which is a good place for predators to stalk thirsty prey.)
- Phishing (phishing)
The target is sent, for example, an email intended to get them to reveal personal information or perform some other insecure action, such as downloading malware. Messages are often disguised as being sent by a trusted party, such as a bank, Google, or a social media service. Attacks may aim directly at financial gain, and often the attacker seeks usernames and passwords, for example for banking and financial services, social media accounts, and online shops. Phishing may be only part of a broader, more complex attack, and it may be targeted at a specific person or created more generally. Messages may include various elements to convince the target, for example presenting the matter as urgent or suggesting that something unpleasant will happen if the target does not respond.
The realism of phishing messages continues to improve. Even experts have difficulty distinguishing phishing messages from, for example, genuine bank emails or marketing communications from other organisations. Everyone should be cautious and aware of the possibility of phishing before clicking on links in emails or text messages. If there is any doubt, links should not be clicked. Try Google’s PhishingQuiz game to see how well you can distinguish phishing messages from genuine ones.
- CEO fraud (Business Email Compromise, BEC)
The attacker takes control of the email account of an organisation’s executive or a partner. The attacker then sends a message to an employee in the name of the executive or partner and attempts to induce a transfer of funds to the attacker’s account.
CEO fraud is the most commonly reported SE attack in Europe. Between 2013 and 2017, the global costs of known BEC attacks amounted to 5 billion dollars, and the amount has certainly not decreased.
CEO fraud is also a threat in Finland. Here are a couple of translated news headlines (with links to the Finnish sources):
- ”At least 40 Finnish companies were deceived with fraudulent invoices” (TS 18 August 2016)
- ”Ministry for Foreign Affairs fell for a €400,000 email scam – HS: criminals managed to siphon off nearly half of the funds beyond police reach” (TIVI 14 February 2019)
- ”First nobody called the Joensuu-based company, then a bank manager called – in the [remote] office sat a fraudster emptying the company account” (Taloussanomat 16 November 2018:)
- Artificial intelligence and social engineering
New AI-based tools enable highly effective SE attacks. AI can generate text, code, images, and audio, all of which can be exploited in attacks. Advanced language models help attackers write convincing scam messages. They can also assist, for example, romance scammers in developing fabricated stories.
AI tools capable of cloning voices significantly increase the credibility of scams. For example, by using a voice sample of someone close to the victim, a real-time audio message can be generated that the victim may not suspect, as they recognise the familiar voice. In the message, the person may claim to have had an accident and urgently need money. Social media, with its videos, provides attackers with abundant sources of voice data for attacks, and voice-cloning tools are available free of charge.
In the U.S. social media is the major channel for impostors to reach their victims: 2.1 billion USD losses out of the total 5,5 billion reported in 2025 (FTC).
Why do SE attacks succeed?
It benefits the attacker if:
- information about the target is available;
- it is possible to gain natural access to interaction situations with the target;
- it is possible to do “favours” for the target or be helpful;
- authority can be invoked;
- there is a sense of urgency in the situation;
- the target feels uncertain in the situation.
It should be remembered that the attacker may have built trust and a relationship with the target over a longer period of time. In such cases, requests are more easily accepted than if the attacker were not “familiar”. When manipulating the target, the attacker may use a variety of techniques:
- Liking: requests are more easily accepted when the person is liked.
- Commitment: once something has been promised, people want to keep that promise.
- Scarcity: if something appears to be running out, requests are more easily accepted.
- Reciprocity: requests may be accepted as a return favour.
- Social proof: if something appears socially accepted, requests are more easily accepted.
- Authority: requests from a person in a position of authority are more readily accepted.
Few of us want to be unpleasant people and, for example, refuse help to a familiar person who convincingly asks for it. Social engineers exploit this skilfully. Clear procedures and practices within an organisation protect employees, as they can always refer to rules when faced with an unusual request—rules that apply even to the familiar and friendly person making the request.
Defence against attacks
Defending against SE attacks can be aided by detecting the attack. Warning signs may include: an unusual request, appeal to authority, a sense of urgency, threats of negative consequences or highlighting them, discomfort when asked questions, mentioning familiar names in conversation (namedropping), politeness, flattery, flirting, or refusal to provide a contact number for later verification.
The best tool for defence is awareness that attacks are possible. In particular, it is important to increase understanding of how attackers operate. Before complying with an unusual request, it is advisable to verify whether the request really came from a friend or family member. Against voice-cloning attacks, it is also possible to agree on, for example, code words among family members. It is also important to pause and think before clicking, even if the situation feels urgent or pressurised. In organisations, staff training is helpful, especially if situations are exercised in practice and examples of correct behaviour are provided. Warnings without concrete guidance rarely work.
Since not all SE attacks can be detected, defence in depth—the simultaneous use of multiple different security mechanisms and processes—is beneficial. These include, for example, information security policy, staff training, physical security and access control, security audits, network security, and various technical security mechanisms. An organisation’s information security policy, processes, and guidelines can be designed to take the possibility of SE attacks into account. In addition, likely targets can be identified, risks related to them assessed, and the targets protected. Through audits and, for example, simulated attacks, it is possible to check how well practices function.
AI-based systems can also analyse communication networks and behavioural patterns, identifying suspicious messages and activities. For example, machine learning–based email filters can detect messages resembling known phishing attempts and block them before they reach the user. In addition, AI can help users learn to recognise SE attacks by simulating different attack scenarios and providing immediate feedback.
Sources for the Human factors module:
- S. Chaudhary, T. Schafeitel-Tähtinen, M. Helenius, E. Berki, Usability, Security and Trust in Password Managers: A Quest for User-Centric Properties and Features, Computer Science Review 33 (2019): 69-90
- K. Krombholz et al., Advanced social engineering attacks, Journal of information security and applications, 22, 2015, pp. 113-122
- K. D. Mitnick, W. L. Simon, The Art of Deception, 2002
- M.A. Sasse, I. Flechais, Usable Security: Why do we need it? How do we get it?, Security and Usability: Designing secure systems that people can use, 2005, pp. 13-30
- P. Tetri, J. Vuorinen, Dissecting social engineering, Behaviour & Information Technology, Vol.32, No. 10, 2013, pp. 1014-1023
- A. Whitten and Tygar J. D. 1999. "Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0." USENIX Security Symposium. Vol. 348
- Ars Technica, "Thousands scammed by AI voices mimicking loved ones in emergencies", 2023, https://arstechnica.com/tech-policy/2023/03/rising-scams-use-ai-to-mimic-voices-of-loved-ones-in-financial-distress/
Social engineering, SE¶
User manipulation is a simple way for an attacker to gather information about a target organisation and influence it. Human weaknesses exist in all organisations, and anyone can become a victim when an attack is crafted skilfully and convincingly enough. “Weaknesses” exploited in such social engineering attacks include, for example, cooperativeness, helpfulness, and a tendency to trust others. In addition, people may seek excitement or be fearful. There are also other factors that influence the success of an attack, such as the organisation’s overall operating framework and information security policy, including any shortcomings.
There is no precise definition for SE; rather, the concept of SE encompasses a variety of different techniques and attacks that share common features. An SE attack may use only one method or consist of several. An attack may include multiple stages using different techniques. It may also be long-lasting, with its different phases carried out far apart in time. This longevity makes attacks harder to detect, and when it is finally understood what has happened, investigation can be difficult.
Stages of an attack and methods¶
SE attacks are often divided into four stages, which may overlap. If necessary, it is also possible to return to a previous stage.
There are many channels for information gathering. Publicly available materials are a good starting point: for example, company annual reports, newspaper articles, websites, and social media. In addition, attackers may rummage through bins, steal, eavesdrop, look over shoulders, use phishing messages, and so on.
There are likewise many ways to build trust, and it may take a long time. Interaction can of course begin in ways that appear normal, but at some point stories and lies are used to mislead the victim or cause a misinterpretation of the situation: help is offered or requested, a role is assumed, a false identity or authority badge is presented, the impression of being part of the inner circle is created, or reference is made to familiar people or one’s own authority. If there appears to be sufficient trust, the same methods are used to go further, persuading the victim to comply with an unusual request, even if it is against rules or instructions.
In the same attack, multiple methods may be used for the same objectives with different emphases.
Different SE attacks¶
Here, some named attacks are described, complementing and partly repeating what has been said above.
Pretexting involves the use of pretexts, that is, excuses and fabricated stories, as an attack or part of one. Its aim is often to gather information, but it can also be used to manipulate the target’s behaviour. The attacker seeks to build trust between themselves and the target and usually has a credible story, reinforced, for example, by urgency and by invoking fear of consequences.
For example, the attacker knows the phone number of person A but needs the number of B in the same organisation. They call A, pretend to have dialled the wrong number, and ask for B’s number. If necessary, they use a suitable story if A hesitates to provide the number.
The attacker often appeals to authority, as a result of which the victim can be persuaded to do something; for example, by pretending to be IT help desk staff, the attacker may get the victim to reveal their username and change their password to one dictated by the attacker.
The attacker first identifies a website likely to interest the target. They then plant, for example, malware on the site or exploit some other vulnerability on the site. The attacker waits for the target to visit the site and become infected. The attack is difficult to detect and difficult to defend against, as the attacker may have no direct contact with the target. The attack also exploits the target’s normal routines.
For example, in 2013 a Java vulnerability was exploited to infiltrate the corporate networks of Apple and Facebook. The attackers injected malware (iPhoneDevSDK) into a popular iOS developer forum where employees of these companies participated in discussions. The malware exploited a vulnerability in the Java web plugin, and through this the devices used to visit the forum were infected. When the same devices were later connected to the corporate network, the attackers gained access there as well. In this case, Apple and Facebook did not suffer major damage, but from Twitter, usernames, email addresses, and encrypted passwords were stolen. (The attack gets its name from a waterhole which is a good place for predators to stalk thirsty prey.)
The target is sent, for example, an email intended to get them to reveal personal information or perform some other insecure action, such as downloading malware. Messages are often disguised as being sent by a trusted party, such as a bank, Google, or a social media service. Attacks may aim directly at financial gain, and often the attacker seeks usernames and passwords, for example for banking and financial services, social media accounts, and online shops. Phishing may be only part of a broader, more complex attack, and it may be targeted at a specific person or created more generally. Messages may include various elements to convince the target, for example presenting the matter as urgent or suggesting that something unpleasant will happen if the target does not respond.
The realism of phishing messages continues to improve. Even experts have difficulty distinguishing phishing messages from, for example, genuine bank emails or marketing communications from other organisations. Everyone should be cautious and aware of the possibility of phishing before clicking on links in emails or text messages. If there is any doubt, links should not be clicked. Try Google’s PhishingQuiz game to see how well you can distinguish phishing messages from genuine ones.
The attacker takes control of the email account of an organisation’s executive or a partner. The attacker then sends a message to an employee in the name of the executive or partner and attempts to induce a transfer of funds to the attacker’s account.
CEO fraud is the most commonly reported SE attack in Europe. Between 2013 and 2017, the global costs of known BEC attacks amounted to 5 billion dollars, and the amount has certainly not decreased.
CEO fraud is also a threat in Finland. Here are a couple of translated news headlines (with links to the Finnish sources):
New AI-based tools enable highly effective SE attacks. AI can generate text, code, images, and audio, all of which can be exploited in attacks. Advanced language models help attackers write convincing scam messages. They can also assist, for example, romance scammers in developing fabricated stories.
AI tools capable of cloning voices significantly increase the credibility of scams. For example, by using a voice sample of someone close to the victim, a real-time audio message can be generated that the victim may not suspect, as they recognise the familiar voice. In the message, the person may claim to have had an accident and urgently need money. Social media, with its videos, provides attackers with abundant sources of voice data for attacks, and voice-cloning tools are available free of charge. In the U.S. social media is the major channel for impostors to reach their victims: 2.1 billion USD losses out of the total 5,5 billion reported in 2025 (FTC).
Why do SE attacks succeed?¶
It benefits the attacker if:
It should be remembered that the attacker may have built trust and a relationship with the target over a longer period of time. In such cases, requests are more easily accepted than if the attacker were not “familiar”. When manipulating the target, the attacker may use a variety of techniques:
Few of us want to be unpleasant people and, for example, refuse help to a familiar person who convincingly asks for it. Social engineers exploit this skilfully. Clear procedures and practices within an organisation protect employees, as they can always refer to rules when faced with an unusual request—rules that apply even to the familiar and friendly person making the request.
Phishing
Over the past twenty years, people’s attitudes towards the internet have changed significantly in terms of what information they are willing to share. In the early 2000s, the general advice was not to reveal even one’s first name online. However, with the rise of social media, attitudes have changed, and nowadays people share all sorts of information about themselves without an attacker needing to ask.
Pet names, the primary school one attended, first relationships, and similar pieces of information may seem harmless to share on social media. It is easy to forget that such questions are used in many services (e.g. PayPal) as password recovery questions, despite the fact that NIST has defined recovery questions as an insecure authentication method. Fortunately, these are no longer commonly seen in newer services, but many of us have accounts dating back more than a decade. Even if recovery answers cannot be found on your social media accounts, it is worth remembering that the more information is available about someone, the easier it is for an attacker to create a convincing SE attack. If you still encounter recovery questions in any service you use, it is advisable to ensure that the service also requires, for example, a code sent by text message for password recovery. It is also advisable to make the answers to such questions as strong as passwords.
The AI voice-cloning attack discussed above is by no means merely a theoretical threat; it has already been reported. Faces and voices have become valuable information for attackers in a way that few of us anticipated just a few years ago. If the article raises concerns, it is worth discussing the matter with family members. Awareness of the possibility of such attacks already goes a long way in protecting against them. In the case described in the article, the situation was resolved before any financial damage occurred when the mother called her daughter.
Defence against attacks¶
Defending against SE attacks can be aided by detecting the attack. Warning signs may include: an unusual request, appeal to authority, a sense of urgency, threats of negative consequences or highlighting them, discomfort when asked questions, mentioning familiar names in conversation (namedropping), politeness, flattery, flirting, or refusal to provide a contact number for later verification.
The best tool for defence is awareness that attacks are possible. In particular, it is important to increase understanding of how attackers operate. Before complying with an unusual request, it is advisable to verify whether the request really came from a friend or family member. Against voice-cloning attacks, it is also possible to agree on, for example, code words among family members. It is also important to pause and think before clicking, even if the situation feels urgent or pressurised. In organisations, staff training is helpful, especially if situations are exercised in practice and examples of correct behaviour are provided. Warnings without concrete guidance rarely work.
Since not all SE attacks can be detected, defence in depth—the simultaneous use of multiple different security mechanisms and processes—is beneficial. These include, for example, information security policy, staff training, physical security and access control, security audits, network security, and various technical security mechanisms. An organisation’s information security policy, processes, and guidelines can be designed to take the possibility of SE attacks into account. In addition, likely targets can be identified, risks related to them assessed, and the targets protected. Through audits and, for example, simulated attacks, it is possible to check how well practices function.
AI-based systems can also analyse communication networks and behavioural patterns, identifying suspicious messages and activities. For example, machine learning–based email filters can detect messages resembling known phishing attempts and block them before they reach the user. In addition, AI can help users learn to recognise SE attacks by simulating different attack scenarios and providing immediate feedback.
Sources for the Human factors module: