The vast majority of cyber attacks today begin with social engineering: the act of using exposed personal data to manipulate human targets into providing unauthorized access to an organizationâs systems or data. As cybercriminals increasingly target the human element, social engineering has become the number one threat to businesses, leading to account takeovers, data breaches, erosion of brand trust, and average financial losses of $4.88 million per incident.
To help companies improve their security posture against social engineering attacks, this article describes some of the current key tactics of social engineers, from reconnaissance to execution, and offers concrete strategies organizations can employ to prevent and defend against their attacks.
From OSINT Recon to Attack Execution
Social engineering attacks begin with Open-Source Intelligence (OSINT), a critical reconnaissance step where the attacker gathers as much information as possible about their target from publicly available sources. These sources include LinkedIn, corporate websites, data brokerage sites, social media platforms, and more. Social engineers use OSINT to gather organizational details and employee personal information to find vulnerabilities which can be exploited during the attack.
OSINT data becomes the foundation for crafting a pretextâ a highly convincing backstory used to gain the trust of a target. The pretext may involve impersonating a vendor, colleague, or authority figure, or leveraging specific personal details with the goal of manipulating the target into performing actions like clicking malicious links, sharing login credentials, or transferring funds.
Once the pretext is established, the next step is executing the attack, which is typically done through phishing, smishing (SMS-based phishing), or vishing (voice phishing). Using contact info and other data collected during OSINT, the attacker sends a message to the target via email, text message, social media DM, or makes a phone call that appears to be from a legitimate source. These messages might contain a link to a fake website, a request for sensitive data, or instructions to transfer funds.
If the social engineering attack is successful, the target performs the desired action, leading to unauthorized access, the theft of sensitive data, account takeover, financial fraud, or the installation of ransomware or malware.
Whaling Attacks: Targeting Large Prey
Social engineers often target high-level individuals within an organization, aiming to compromise executives and senior decision-makers. This form of attack, known as whaling, can have devastating consequences due to the significant authority and access these individuals hold. These attacks leverage OSINT to create convincing, highly targeted spear-phishing messages or vishing calls that often appear to come from another executive or trusted source within the organization.
The goal is typically to steal privileged information, gain access to sensitive systems, or authorize fraudulent financial transactions. Attackers craft their messages to appear urgent and legitimate, preying on the victimâs authority and access to sensitive assets. For instance, an attacker might impersonate a CEO or CFO to convince a senior executive to approve a wire transfer.
While whaling attacks target large prey, social engineers donât limit their attacks to just the C-suite. As detailed in our PII Removal for Executives is Not Enough whitepaper, attackers also regularly target employees at all levels across a wide range of roles, from contractors to IT staff to finance personnel, and the consequences can be just as severe.
The Rise of Smishing and Vishing
Due to tightening email security measures for bulk senders, mass email phishing has become more difficult for attackers. As a result, they are increasingly relying on alternative social engineering methods like SMS-phishing (smishing).
Threat actors such as Scatter Swine harvest mobile phone numbers from data brokers that link phone numbers to employees at specific organizations (i.e., ZoomInfo, Clearbit, and Apollo.io). This data is then used for credential harvesting, such as occurred in the infamous 0ktapus campaign of 2022 that targeted around 130 organizations. In this case, the threat actor leveraged the data for mass smishing attacks, luring targets to spoofed websites to harvest their credentials. During the 0ktapus campaign, nearly 10,000 credentials were compromised.
Spoofing and Deepfakes: Rising Threats in 2024
In some advanced attacks, attackers may leverage deepfake technologyâAI-generated fake audio or videoâallowing them to impersonate key individuals within the organization. Once trust is established, the attacker employs persuasion techniques and appeals to the target’s psychological or emotional triggers, pushing them to act without questioning the legitimacy of the request.
In 2024, attackers are increasingly leveraging AI and other technologies to make their social engineering attacks more convincing, utilizing tools for spoofing and deepfakes.
Phone spoofing is a straightforward but powerful social engineering technique that allows hackers to impersonate anyone by altering the caller ID. By using a readily available spoofing tool, a social engineer can make their number appear to be that of a trusted contact. Phone spoofing makes an attackerâs pretext all that much more believable because the target getting the message is going to see itâs coming from the person they know.
Social engineers today can also clone the voice of the individual they are impersonating by using AI. AI tools can now replicate a person’s voice by analyzing publicly available recordings (such as podcasts, interviews, or videos) and mimicking the voice’s tone, pitch, cadence, and style. While public or high-profile figures may be more vulnerable because their voices are widely available, AI tools have become so advanced that even non-public figures can be effectively mimicked with only limited samples of their voice.
Voice fakes are now being used by threat actors, such as Octo Tempest. They have been used to log in to bank accounts, compromise people and organizations, and are notoriously difficult to detect.
In 2019, a deepfake voice was used to impersonate the CEO of a German company, tricking a UK-based CEO into transferring âŹ220,000. More recently, in 2024, scammers used deepfakes during a video call to impersonate senior executives, convincing a finance worker to transfer $25 million.
Mitigations To Hinder OSINT Recon, Prevent Social Engineering, and Thwart Attacks In Progress
Considering the current social engineering threat landscape, companies need to be more proactive than ever in their defense strategies. By taking the following key steps companies can significantly improve their security posture against social engineering attacks.
- Minimizing Exposed Personal Information to Disrupt Open-Source Intelligence (OSINT)
Personal data exposure plays a critical role in enabling social engineers to gather detailed information about their targets through open-source intelligence (OSINT).
Data broker sites compile and sell personal data, making it easily accessible through a Google searchâand equally easy for hackers to exploit. Having this type of information available simplifies the hacker’s job by providing them with everything they need to impersonate key personnel or craft convincing social engineering attacks.
To mitigate this, itâs important for organizations to offer personal data removal to employees. Proactively removing employee data from data brokers makes it harder for attackers to gather the information necessary for a convincing pretext. When social engineers can’t easily find accurate phone numbers, emails, or addresses, they are less likely to be successful in launching a targeted attack and are more likely to turn their sights on other, more data-rich targets. See our guide here for choosing the right personal data removal software.
In addition to addressing exposed employee info across data brokerage sites, it is also imperative that organizations help their employees understand the dangers of oversharing personal info on social media, as hackers can easily exploit personal details found there too. Maximizing privacy settings and limiting what is shared on social media and elsewhere online is essential for protecting against potential attackers.
- Password Managers protect against credential harvesting campaigns
Companies should provide password managers to their employees as a security measure. By offering password managers, organizations help ensure that employees are using strong, unique passwords for each account, minimizing the risk of successful credential harvesting attacks.
Password managers protect against credential harvesting by recognizing legitimate websites and preventing users from entering credentials on fraudulent or spoofed sites designed to steal login information.
- Multi-Factor Authentication (MFA)
To further reduce the risk of account breaches, organizations should require Multi-Factor Authentication (MFA) across all accounts, especially for high-risk roles such as executives or individuals with administrative access. MFA adds an additional layer of security beyond just a password, making it significantly harder for attackers to gain access to sensitive systems or data even if they have acquired valid login credentials.
For those at elevated risk, like executives or public-facing employees, hardware-based MFA tokens (such as FIDO or YubiKeys) are recommended. These physical keys make it nearly impossible for attackers to intercept the authentication process, as they require direct possession of the token to gain access. For example, during the 0ktapus campaign, although three Cloudflare employees fell for Scatter Swineâs smishing attack and entered their credentials on the attackersâ page, the attackers were unable to access their accounts due to the companyâs requirement for FIDO2-compliant tokens.
By implementing MFA for all sensitive accounts, especially when combined with strong passwords and secure password managers, organizations can dramatically reduce the risk of unauthorized access.
- Stopping Social Engineering Attacks in Progress Through a Second Means of Verification
To thwart social engineering attacks already in progress, an extremely effective method is to verify the authenticity of a sensitive request through another channel or means.
For instance, if an employee receives an email asking for a wire transfer or access to sensitive company data, they should take a moment to verify the request using another communication channel, such as a phone call, messaging app, or in-person confirmation. By creating a healthy dose of skepticism and verifying a request, employees can catch social engineering attacks in the moment.
Doing this can thwart even sophisticated AI-driven attacks. A recent example occurred in July 2024 when Ferrari experienced a deepfake scam where a fraudster impersonated CEO Benedetto Vigna in an attempt to manipulate a high-ranking executive. The attacker used advanced AI-generated deepfake technology to convincingly mimic Vignaâs voice, even simulating his southern Italian accent, during a WhatsApp message and phone call. The scam involved a supposed confidential deal that required the executiveâs urgent assistance, including signing a Non-Disclosure Agreement and performing a currency-hedge transaction. Fortunately, the executive became suspicious, noticing inconsistencies like the use of a different phone number and slight mechanical intonations in the voice. The executive then said he needed to verify Vignaâs identity and asked a personal question related to a book Vigna had recently recommended. Because the scammer couldnât answer this, he abruptly ended the call.
- Security Awareness Training and Simulations
While minimizing personal data exposure, using password managers, MFA, and verifying requests are essential protection measures, organizations should educate their employees on modern social engineering methods through training. IBMâs 2024 Cost of A Data Breach report cites âemployee trainingâ as the top factor in reducing the average cost of a breach, specifically because of its importance in âdetecting and stopping phishing attacks.â When employees are effectively trained on the current techniques social engineers employ and how they are likely to be targeted in real life situations, it becomes much more difficult for attackers to fool them.Effective security awareness training should teach employees to recognize the psychological techniques that social engineers use and should expose them to real-world attack simulations that mirror the types of threats theyâre likely to face based on their industry, work environment, roles, data exposure, and risk level. Seeing firsthand how their personal information can be weaponized, or how a social engineer may try to manipulate them, can help employees develop a more intuitive sense of caution that will serve them well in the event of a real attack.Â
Strengthening Your Defenses Against Social Engineering
As social engineering attacks become a more sophisticated and widespread threat, companies must step up their defenses. Disrupting OSINT recon through minimizing personal data exposure cuts off much of the fuel attackers rely on for social engineering. Providing employees with password managers safeguards against mass social engineering and credential harvesting campaigns.
By implementing multi-factor authentication (MFA), organizations add an essential layer of security that protects employee accountsâeven when legitimate credentials are compromised. The most sophisticated social engineering attacks can still be thwarted through second-channel verification and well-trained employees. Proactively implementing these defenses now can make the difference between a company that falls victim to social engineering and one that stays secure tomorrow.