3.2.4. Human Vectors and Social Engineering

💡 First Principle: Social engineering exploits the one vulnerability you can never fully patch: human psychology. People are wired to trust authority, help colleagues, respond to urgency, and avoid conflict. Attackers exploit these instincts to bypass technical controls entirely. The most expensive firewall in the world can't stop an employee from reading a convincing email and entering their credentials on a fake login page.

Phishing — fraudulent emails impersonating trusted entities to steal credentials or deliver malware. The most common social engineering attack by volume.

Vishing — voice phishing via phone calls. Attackers impersonate IT support, vendors, or executives to extract information or direct actions ("I need you to wire transfer $50,000 to this account immediately").

Smishing — SMS phishing. Short, urgent text messages with malicious links.

Misinformation and disinformation — misinformation is false information spread unintentionally; disinformation is false information spread deliberately. Both can be weaponized in social engineering campaigns.

Impersonation — pretending to be a trusted individual (executive, IT admin, delivery person) to gain physical or logical access.

Business email compromise (BEC) — a targeted form of impersonation where attackers compromise or spoof an executive's email to direct financial transactions or data sharing.

Pretexting — creating a fabricated scenario (pretext) to justify a request. "Hi, I'm from the help desk, I need to verify your password to fix your account."

Watering hole attacks — compromising websites that the target group frequently visits, rather than attacking them directly. If an attacker can't penetrate a defense contractor, they might compromise a defense industry news site.

Brand impersonation — creating fake websites, emails, or social media accounts that mimic trusted brands to harvest credentials.

Typosquatting — registering domains that are common misspellings of legitimate sites (gooogle.com, amazn.com) to capture users who mistype URLs.

⚠️ Exam Trap: Pretexting vs. phishing: pretexting is the fabricated scenario used to justify a request. Phishing is the delivery method (email). An attacker might use pretexting IN a phishing email — they're not mutually exclusive. If the question focuses on the fake story, the answer is pretexting. If it focuses on the fraudulent email, it's phishing.