{{Short description|Psychological manipulation in information security}} {{Use dmy dates|date=August 2020}} {{For|the influencing of attitudes and social behaviors on a large scale|Social engineering (political science)}} In the context of information security, '''social engineering''' is the use of psychological pressure to influence people to perform actions or divulge confidential information. It has also been more broadly defined as "any act that influences a person to take an action that may or may not be in their best interests."<ref>{{Cite news|url=https://www.social-engineer.org/framework/general-discussion/social-engineering-defined/|title=Social Engineering Defined |work=Security Through Education|access-date=3 October 2021|language=en-TH}}</ref><ref>{{Cite journal |last1=Steinmetz |first1=Kevin F. |last2=Pimentel |first2=Alexandra |last3=Goe |first3=W. Richard |date=2020-12-01 |title=Decrypting Social Engineering: An Analysis of Conceptual Ambiguity |url=https://doi.org/10.1007/s10612-019-09461-9 |journal=Critical Criminology |language=en |volume=28 |issue=4 |pages=631–650 |doi=10.1007/s10612-019-09461-9 |issn=1572-9877|url-access=subscription }}</ref> A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in the sense that it is often one of many steps in a more complex fraud scheme.<ref name="Anderson2008">{{cite book|url=https://books.google.com/books?id=ILaY4jBWXfcC|title=Security engineering: a guide to building dependable distributed systems|last=Anderson|first=Ross J.|publisher=Wiley|year=2008|isbn=978-0-470-06852-6|edition=2|location=Indianapolis, IN|page=1040|author-link=Ross J. Anderson}} Chapter 2, page 17</ref> Phishing is a type of social engineering.<ref>{{Cite web |date=2021-02-01 |title=Avoiding Social Engineering and Phishing Attacks |url=https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks |access-date=2026-05-04 |website=U.S. CISA |language=en}}</ref> Researchers have developed detection techniques and cybersecurity educational programs.<ref>{{Cite journal |last=Salahdine |first=Fatima |date=2019 |title=Social Engineering Attacks: A Survey |url=https://www.mdpi.com/1999-5903/11/4/89 |journal=School of Electrical Engineering and Computer Science, University of North Dakota |volume=11 |issue=4 |pages=89}}</ref>

Researchers in 2019 and 2020 said that social engineering was an increasingly important challenge for organizations and countries.<ref> {{Cite journal |last1=Salahdine |first1=Fatima |last2=Kaabouch |first2=Naima |date=2019-04-02 |title=Social Engineering Attacks: A Survey |journal=Future Internet |language=en |volume=11 |issue=4 |pages=89 |doi=10.3390/fi11040089 |doi-access=free |issn=1999-5903}} </ref><ref> {{Cite book |last1=Mashtalyar |first1=Nikol |last2=Ntaganzwa |first2=Uwera Nina |last3=Santos |first3=Thales |last4=Hakak |first4=Saqib |last5=Ray |first5=Suprio |date=2021 |editor-last=Moallem |editor-first=Abbas |chapter=Social Engineering Attacks: Recent Advances and Challenges |series=Lecture Notes in Computer Science |volume=12788 |title=HCI for Cybersecurity, Privacy and Trust |chapter-url=https://link.springer.com/chapter/10.1007/978-3-030-77392-2_27?error=cookies_not_supported&code=25b718a1-8a9a-4be2-a559-c42c2fc07479 |language=en |location=Cham |publisher=Springer International Publishing |pages=417–431 |doi=10.1007/978-3-030-77392-2_27 |isbn=978-3-030-77392-2}} </ref><ref>{{Cite journal |last=Guitton |first=Matthieu J. |date=2020-06-01 |title=Cybersecurity, social engineering, artificial intelligence, technological addictions: Societal challenges for the coming decade |url=https://www.sciencedirect.com/science/article/pii/S0747563220300613 |journal=Computers in Human Behavior |volume=107 |article-number=106307 |doi=10.1016/j.chb.2020.106307 |s2cid=214111644 |issn=0747-5632|url-access=subscription }}</ref> Reports indicated that through 2024, social engineering attacks had increased in intensity and number.<ref> {{cite report |title=Global Cybersecurity Outlook 2025 |author=World Economic Forum |date=13 January 2025 |publisher=World Economic Forum |url=https://reports.weforum.org/docs/WEF_Global_Cybersecurity_Outlook_2025.pdf |access-date=16 March 2026 }} </ref>{{Vague|date=May 2026}}

==Techniques and terms== Social engineering techniques are based on weaknesses in human decision-making known as cognitive biases.<ref>Jaco, K: "CSEPS Course Workbook" (2004), unit 3, Jaco Security Publishing.</ref><ref>{{Cite journal|last=Kirdemir|first=Baris|date=2019|title=HOSTILE INFLUENCE AND EMERGING COGNITIVE THREATS IN CYBERSPACE|journal=Centre for Economics and Foreign Policy Studies|url=https://www.jstor.org/stable/resrep21052}}</ref> Social engineering is a form of psychological manipulation.<ref>{{Cite web |title=Understanding the Dangers of Social Engineering |url=https://www.state.gov/understanding-the-dangers-of-social-engineering/ |access-date=2026-05-04 |website=United States Department of State |language=en}}</ref>

An example of social engineering would be an attacker who walks into a building and posts an official-looking announcement to the company bulletin that says the telephone number for the help desk has changed. When employees call the false number for help, the individual asks them for their passwords and IDs, thereby gaining access to the company's private information. Another example of social engineering would be a hacker contacting the target on a social networking site and starting a conversation with them. Gradually, the hacker gains the trust of the target and then uses that trust to gain access to sensitive information like password or bank account details.<ref>{{Cite journal|last=Hatfield|first=Joseph M|date=June 2019|title=Virtuous human hacking: The ethics of social engineering in penetration-testing|journal=Computers & Security|volume=83|pages=354–366|doi=10.1016/j.cose.2019.02.012|s2cid=86565713}}</ref>

===Pretexting=== {{Main|Pretexting}} Pretexting, also known in the UK as blagging,<ref name="b163">{{cite web | title=Fundamentals of cyber security | website=BBC Bitesize | date=19 March 2019 | url=https://www.bbc.co.uk/bitesize/guides/znnny4j/revision/4 | access-date=7 July 2024|archive-url=https://web.archive.org/web/20240707042547/https://www.bbc.co.uk/bitesize/guides/znnny4j/revision/4|archive-date=7 July 2024|url-status=live}}</ref> is the act of creating and using an invented scenario (the pretext) to engage a targeted victim in a manner that increases the chance the victim will divulge information or perform actions that would be unlikely in ordinary circumstances.<ref>The story of HP pretexting scandal with discussion is available at {{cite web|url=https://www.scribd.com/doc/62262162/HP-Pretexting-Scandal|title=HP Pretexting Scandal by Faraz Davani|date=14 August 2011|via=Scribd|access-date=15 August 2011|first1=Faraz|last1=Davani}}</ref> An elaborate lie, it most often involves some prior research or setup and the use of this information for impersonation (''e.g.'', date of birth, Social Security number, last bill amount) to establish legitimacy in the mind of the target.<ref>"[http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre10.shtm Pretexting: Your Personal Information Revealed]", Federal Trade Commission</ref>

===Water holing=== {{Main|Watering hole attack}} Water holing is a targeted social engineering strategy that capitalizes on the trust users have in websites they regularly visit. The victim feels safe to do things they would not do in a different situation. A wary person might, for example, purposefully avoid clicking a link in an unsolicited email, but the same person would not hesitate to follow a link on a website they often visit. So, the attacker prepares a trap for the unwary prey at a favored watering hole. This strategy has been successfully used to gain access to some (supposedly) very secure systems.<ref name="Forbes.com watering hole attack">{{cite web|url=https://www.invincea.com/2015/02/chinese-espionage-campaign-compromises-forbes/|title=Chinese Espionage Campaign Compromises Forbes.com to Target US Defense, Financial Services Companies in Watering Hole Style Attack|date=10 February 2015|publisher=invincea.com|access-date=23 February 2017}}</ref>

===Baiting=== Baiting is a form of real-world Trojan horse that uses physical media and relies on the curiosity or greed of the victim.<ref name="Social Engineering, the USB Way">{{cite web|url=http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1|title=Social Engineering, the USB Way|date=7 June 2006|publisher=Light Reading Inc|archive-url=https://web.archive.org/web/20060713134051/http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1|archive-date=13 July 2006|url-status=dead|access-date=23 April 2014}}</ref> In this attack, attackers leave malware-infected floppy disks, CD-ROMs, or USB flash drives in locations people will find them (bathrooms, elevators, sidewalks, parking lots, etc.), give them legitimate and curiosity-piquing labels, and wait for victims.

Unless computer controls block infections, insertion compromises PCs "auto-running" media. Hostile devices can also be used.<ref>{{cite web |url=http://md.hudora.de/presentations/firewire/PacSec2004.pdf |title=Archived copy |access-date=2 March 2012 |url-status=dead |archive-url=https://web.archive.org/web/20071011191205/http://md.hudora.de/presentations/firewire/PacSec2004.pdf |archive-date=11 October 2007}}</ref> For instance, a "lucky winner" is sent a free digital audio player compromising any computer it is plugged to. A "road apple" (the colloquial term for horse manure, suggesting the device's undesirable nature) is any removable media with malicious software left in opportunistic or conspicuous places. It may be a CD, DVD, or USB flash drive, among other media. Curious people take it and plug it into a computer, infecting the host and any attached networks. Again, hackers may give them enticing labels, such as "Employee Salaries" or "Confidential".<ref>{{Cite book|title=Principles of Computer Security, Fourth Edition (Official Comptia Guide)|last1=Conklin|first1=Wm. Arthur|last2=White|first2=Greg|last3=Cothren|first3=Chuck|last4=Davis|first4=Roger|last5=Williams|first5=Dwayne|publisher=McGraw-Hill Education|year=2015|isbn=978-0071835978|location=New York|pages=193–194}}</ref>

One study published in 2016 had researchers drop 297 USB drives around the campus of the University of Illinois. The drives contained files on them that linked to webpages owned by the researchers. The researchers were able to see how many of the drives had files on them opened, but not how many were inserted into a computer without having a file opened. Of the 297 drives that were dropped, 290 (98%) of them were picked up and 135 (45%) of them "called home".<ref>{{Cite web|url=https://www.infosecurity-magazine.com/blogs/bhusa-dropped-usb-experiement/|title=#BHUSA Dropped USB Experiment Detailed|last=Raywood|first=Dan|date=4 August 2016|website=info security|access-date=28 July 2017}}</ref>

=== Ad phishing === Ad phishing is a social engineering technique in which malicious actors use online ads to deceive users into believing they are interacting with legitimate brands or services. According to Google, these deceptive ads often mimic trusted entities such as banks, software providers, or customer support pages, leading users to fraudulent sites that attempt to steal passwords, credit card information, or other sensitive data.<ref>{{Cite web |url=https://developers.google.com/search/docs/monitor-debug/security/social-engineering |title=Avoid and handle social engineering (phishing or deceptive content) |website=Google Search Central |publisher=Google Inc. |access-date=2025-10-04}}</ref>

=== Quid Pro Quo === An attacker offers to provide sensitive information (e.g. login credentials) or pay some amount of money in exchange for a favor. The attacker may pose as an expert offering free IT help, whereby they need login credentials from the user.<ref name=":3">{{Cite web |title=Social Engineering - Information Security Office - Computing Services - Carnegie Mellon University |url=https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html |access-date=2025-04-12 |website=www.cmu.edu |publisher=Carnegie Mellon University |language=en}}</ref>

=== Scareware === {{seemain|Scareware}} thumb|right|An example of a scareware popup The victim is bombarded with multiple messages about fake threats and alerts, making them think that the system is infected with malware. Thus, attackers force them to install remote login software or other malicious software, or directly extort a ransom, such as offering to send a certain amount of money in cryptocurrency in exchange for the safety of confidential videos that the criminal has, as he claims.<ref name=":3" />

=== Tailgating (piggybacking) === An attacker pretends to be a company employee or other person with access rights in order to enter an office or other restricted area. Deception and social engineering tools are actively used. For example, the intruder pretends to be a courier or loader carrying something in his hands and asks an employee who is walking outside to hold the door, gaining access to the building.<ref name=":3" />

==Law== In common law, pretexting is an invasion of privacy tort of appropriation.<ref>Restatement 2d of Torts § 652C.</ref>{{Better source needed|reason=The current source is insufficiently reliable (WP:NOTRS).|date=May 2026}}

=== United States ===

==== Pretexting of banking records ==== The 1999 Gramm-Leach-Bliley Act (GLBA) is a U.S. Federal law that specifically addresses pretexting of banking records as an illegal act punishable under federal statutes. When a business entity such as a private investigator, SIU insurance investigator, or an adjuster conducts any type of deception, it falls under the authority of the Federal Trade Commission (FTC). This federal agency has the obligation and authority to ensure that consumers are not subjected to any unfair or deceptive business practices. US Federal Trade Commission Act, Section 5 of the FTCA states, in part: "Whenever the Commission shall have reason to believe that any such person, partnership, or corporation has been or is using any unfair method of competition or unfair or deceptive act or practice in or affecting commerce, and if it shall appear to the Commission that a proceeding by it in respect thereof would be to the interest of the public, it shall issue and serve upon such person, partnership, or corporation a complaint stating its charges in that respect."

The statute states that when someone obtains any personal, non-public information from a financial institution or the consumer, their action is subject to the statute. It relates to the consumer's relationship with the financial institution. For example, a pretexter using false pretenses either to get a consumer's address from the consumer's bank, or to get a consumer to disclose the name of their bank, would be covered. The determining principle is that pretexting only occurs when information is obtained through false pretenses.

==== Pretexting of telephone records ==== In December 2006, United States Congress approved a Senate sponsored bill making the pretexting of telephone records a federal felony with fines of up to $250,000 and ten years in prison for individuals (or fines of up to $500,000 for companies). The Telephone Records and Privacy Protection Act of 2006 was signed by President George W. Bush on 12 January 2007.<ref>{{cite web|url=https://www.congress.gov/bill/109th-congress/house-bill/4709/|title=Congress outlaws pretexting|work=109th Congress (2005–2006) H.R.4709 – Telephone Records and Privacy Protection Act of 2006 |year=2007}}</ref>

U.S. Rep. Fred Upton (R-Kalamazoo, Michigan), chairman of the Energy and Commerce Subcommittee on Telecommunications and the Internet, expressed concern over the easy access to personal mobile phone records on the Internet during a House Energy & Commerce Committee hearing on "Phone Records For Sale: Why Aren't Phone Records Safe From Pretexting?" Illinois became the first state to sue an online records broker when Attorney General Lisa Madigan sued 1st Source Information Specialists, Inc., a spokeswoman for Madigan's office said. The Florida-based company operates several Web sites that sell mobile telephone records, according to a copy of the suit. The attorneys general of Florida and Missouri quickly followed Madigan's lead, filing suits respectively, against 1st Source Information Specialists and, in Missouri's case, one other records broker&nbsp;– First Data Solutions, Inc.

Several wireless providers, including T-Mobile, Verizon, and Cingular filed earlier lawsuits against records brokers, with Cingular winning an injunction against First Data Solutions and 1st Source Information Specialists. U.S. Senator Charles Schumer (D-New York) introduced legislation in February 2006 aimed at curbing the practice. The Consumer Telephone Records Protection Act of 2006 would create felony criminal penalties for stealing and selling the records of mobile phone, landline, and Voice over Internet Protocol (VoIP) subscribers.

The law was passed at least partially in response to the Hewlett-Packard spying scandal. Patricia Dunn, former chairwoman of Hewlett Packard, reported that the HP board hired a private investigation company to look into who was responsible for leaks within the board. Dunn acknowledged that the company used the practice of pretexting to solicit the telephone records of board members and journalists. Chairman Dunn later apologized for this act and offered to step down from the board if it was desired by board members.<ref name="com">[http://news.cnet.com/HP-chairman-Use-of-pretexting-embarrassing/2100-1014_3-6113715.html?tag=nefd.lede HP chairman: Use of pretexting 'embarrassing'] Stephen Shankland, 8 September 2006 1:08 PM PDT ''CNET News.com''</ref> Unlike Federal law, California law specifically forbid such pretexting. The four felony charges brought on Dunn were dismissed.<ref>{{cite web|url=http://news.cnet.com/Calif.-court-drops-charges-against-Dunn/2100-1014_3-6167187.html|title=Calif. court drops charges against Dunn|date=14 March 2007|publisher=CNET|access-date=11 April 2012}}</ref>

==Notable social engineering incidents==

{{Expand section|date=May 2024}}

===1970s–1990s=== Kevin Mitnick, Susan Headley, and Lewis De Payne were involved in phreaking and computer hacking efforts involving social engineering in Los Angeles in the late 1970s and early 1980s.<ref>{{cite journal|last1=Hafner|first1=Katie|title=Kevin Mitnick, unplugged|journal=Esquire|date=August 1995|volume=124|issue=2|pages=80(9)|url=http://www.tomandmaria.com/ST297/Readings/mitnick%20esquire.htm}}</ref><ref>{{Cite web |last=Barth |first=Bradley |date=2017-07-10 |title=Female blackhats |url=https://www.scworld.com/news/female-blackhats |access-date=2025-11-14 |website=SC Media |language=en}}</ref>

The {{Interlanguage link|Badir Brothers|he|האחים_בדיר}}, Ramy, Muzher, and Shadde Badir{{px2}}{{mdash}}{{hsp}}all of whom were blind from birth{{px2}}{{mdash}}{{hsp}}set up an extensive phone and computer fraud scheme in Israel in the 1990s using social engineering, voice impersonation, and Braille-display computers.<ref>{{cite magazine|url=https://www.wired.com/wired/archive/12.02/phreaks_pr.html|title=Wired 12.02: Three Blind Phreaks|date=14 June 1999|magazine=Wired|access-date=11 April 2012}}</ref><ref>{{cite magazine|url=http://library.nic.in/e-journalNew/Dataquest/Archives/DQNov2012-Oct13/dq_i1_feb13/dq_i1_feb13/64%20-%20Social%20Engineering%20A%20Young%20Hacker's%20Tale.pdf|title=Social Engineering A Young Hacker's Tale.|date=15 February 2013|access-date=13 January 2020|magazine=DATAQUEST}}</ref>

=== 2011 RSA SecurID phishing attack === In 2011, hackers broke into the сryptographic corporation RSA and obtained information about SecurID two-factor authentication fobs. Using this data, the hackers later tried to infiltrate the network of defense contractor Lockheed Martin. The hackers gained access to the key fob data by sending emails to four employees of the parent corporation from an alleged recruitment site. The emails contained an Excel attachment titled 2011 Recruitment Plan. The spreadsheet contained a zero-day Flash exploit that provided backdoor access to the work computers.<ref name=":2">{{Cite web |last= |date=2017-11-02 |title=5 Social Engineering Attacks of All Time |url=https://www.cybersecurityeducationguides.org/2017/11/top-5-social-engineering-attacks-of-all-time/ |access-date=2025-04-09 |website=www.cybersecurityeducationguides.org |language=en-US}}</ref><ref>{{Cite magazine |last=Greenberg |first=Andy |title=The Full Story of the Stunning RSA Hack Can Finally Be Told |url=https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/ |access-date=2025-04-09 |magazine=Wired |language=en-US |issn=1059-1028}}</ref>

=== 2013 Department of Labor watering hole attack === In 2013, a U.S. Department of Labor server was hacked and used to host malware and redirect some visitors to a site using a zero-day Internet Explorer exploit to install a remote access trojan called Poison Ivy. Watering hole attacks were used, with the attackers creating pages related to toxic nuclear substances overseen by the Department of Energy. The targets were likely DoL and DOE employees with access to sensitive nuclear data.<ref name=":2" /><ref>{{Cite web |date=2013-05-06 |title=Internet Explorer zero-day blamed for Department of Labor website attack |url=https://www.infosecurity-magazine.com/news/internet-explorer-zero-day-blamed-for-department/ |access-date=2025-04-10 |website=Infosecurity Magazine |language=en-gb}}</ref>

=== 2014 Sony pictures leak === On 24 November 2014, the hacker group "Guardians of Peace"<ref>{{Cite web |title=The Sony Pictures Breach: A Deep Dive into a Landmark Cyber Attack - Sep 15, 2023 |url=https://www.frameworksec.com/post/the-sony-pictures-breach-a-deep-dive-into-a-landmark-cyber-attack |access-date=2024-10-21 |website=www.frameworksec.com |language=en}}</ref> (probably linked to North Korea)<ref>{{cite web | url = https://www.usatoday.com/story/news/2014/12/19/sony-the-interview-hackers-gop/20635449/ | title = FBI confirms North Korea behind Sony hack | first1 = Elizabeth | last1 = Weise | first2 = Kevin | last2 = Johnson | work = USA Today | date = December 19, 2014 | access-date = December 19, 2014 | archive-date = December 19, 2014 | archive-url = https://web.archive.org/web/20141219204906/http://www.usatoday.com/story/news/2014/12/19/sony-the-interview-hackers-gop/20635449/ | url-status = live }}</ref> leaked confidential data from the film studio Sony Pictures Entertainment. The data included emails, executive salaries, and employees' personal and family information. The phishers pretended to be high up employees to install malware on workers' computers.<ref>{{Cite web |title=Famous Phishing Incidents from History {{!}} Hempstead Town, NY |url=https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History#:~:text=The%20Federal%20Trade%20Commission%20released,information%20to%20claim%20the%20prize. |access-date=2024-10-21 |website=www.hempsteadny.gov}}</ref>

=== 2015 Ubiquiti Networks scam === In 2015, specialized Wi-Fi hardware and software maker Ubiquiti lost nearly $47 million to hackers. Attackers sent Ubiquiti's accounting department a phishing email from a Hong Kong branch with instructions to change payment account details. Upon discovering the theft, the company began cooperating with law enforcement, but was only able to recover $8 million of the stolen funds, although they had hoped for $15 million.<ref name=":2" /><ref>{{Cite web |date=2015-08-07 |title=Ubiquiti Networks Says It Was Victim of $47 Million Cyber Scam |url=https://www.nbcnews.com/tech/security/ubiquiti-networks-says-it-was-victim-47-million-cyber-scam-n406201 |access-date=2025-04-09 |website=NBC News |language=en}}</ref>

=== 2016 United States Elections leaks === During the 2016 United States Elections, hackers associated with Russian Military Intelligence (GRU) sent phishing emails directed to members of Hillary Clinton's campaign, disguised as a Google alert.<ref>{{Cite web |date=2016-12-27 |title=2016 Presidential Campaign Hacking Fast Facts |url=https://www.cnn.com/2016/12/26/us/2016-presidential-campaign-hacking-fast-facts/index.html |access-date=2024-08-07 |website=CNN |language=en}}</ref> Many members, including the chairman of the campaign, John Podesta, had entered their passwords thinking it would be reset, causing their personal information, and thousands of private emails and documents to be leaked.<ref name=":0">{{Cite web |date=2018-07-13 |title=Office of Public Affairs {{!}} Grand Jury Indicts 12 Russian Intelligence Officers for Hacking Offenses Related to the 2016 Election {{!}} United States Department of Justice |url=https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election |access-date=2024-08-07 |website=www.justice.gov |language=en}}</ref> With this information, they hacked into other computers in the Democratic Congressional Campaign Committee, implanting malware in them, which caused their computer activities to be monitored and leaked.<ref name=":0" />

=== 2017 Equifax breach help websites === Following the 2017 Equifax data breach linked to China's People's Liberation Army<ref>{{cite web | url = https://www.wsj.com/articles/four-members-of-china-s-military-indicted-for-massive-equifax-breach-11581346824 | title = Four Members of China's Military Indicted Over Massive Equifax Breach | date= February 11, 2020 | work = The Wall Street Journal }}</ref> in which over 150 million private records were leaked (including Social Security numbers, and drivers license numbers, birthdates, etc.), warnings were sent out regarding the dangers of impending security risks.<ref>{{cite web|url=https://www.cnbc.com/2017/09/07/credit-reporting-firm-equifax-says-cybersecurity-incident-could-potentially-affect-143-million-us-consumers.html |title=Credit reporting firm Equifax says data breach could potentially affect 143 million US consumers |date=7 Sep 2018 |publisher=CNBC|access-date=3 May 2024}}</ref> In the day after the establishment of a legitimate help website (equifaxsecurity2017.com) dedicated to people potentially victimized by the breach, 194 malicious domains were reserved from small variations on the URL, capitalizing on the likelihood of people mistyping.<ref>{{cite web|url=https://www.cantonrep.com/entertainmentlife/20171001/straight-talk-beware-scams-related-to-equifax-data-breach |archive-url=https://web.archive.org/web/20201206021332/https://www.cantonrep.com/entertainmentlife/20171001/straight-talk-beware-scams-related-to-equifax-data-breach |title=Straight Talk: Beware scams related to Equifax data breach |archive-date=6 Dec 2020 |url-status=dead}} </ref><ref>{{cite web|url=https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/ |title=Phishing |website=Security Through Education |publisher=Social-Engineer}}</ref>

=== 2017 Google and Facebook phishing emails === Two tech giants{{px2}}{{mdash}}{{hsp}}Google and Facebook{{px2}}{{mdash}}{{hsp}}were phished out of $100 million by a Lithuanian fraudster in 2017.<ref>{{Cite news |date=2017-04-28 |title=Google and Facebook duped in huge 'scam' |url=https://www.bbc.co.uk/news/technology-39744007 |access-date=2025-04-10 |work=BBC News |language=en-GB}}</ref> The fraudster impersonated a hardware supplier to falsely invoice both companies over two years.<ref>{{Cite web |last=Jr |first=Tom Huddleston |date=2019-03-27 |title=How this scammer used phishing emails to steal over $100 million from Google and Facebook |url=https://www.cnbc.com/2019/03/27/phishing-email-scam-stole-100-million-from-facebook-and-google.html |access-date=2024-10-20 |website=CNBC |language=en}}</ref> Despite their technological sophistication, the companies lost the money, although they were later able to recoup the majority of the funds stolen.<ref name=":1">{{Cite web |title=Famous Phishing Incidents from History {{!}} Hempstead Town, NY |url=https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-from-History |access-date=2024-10-14 |website=www.hempsteadny.gov}}</ref>

==Countermeasures== Christopher J. Hadnagy, an American information technology security consultant, has written several books on social engineering and cybersecurity.<ref name="rsa">{{cite web | title=Bens Book of the Month Review of Social Engineering The Science of Human Hacking | website=RSA Conference | date=31 August 2018 | url=http://www.rsaconference.com/industry-topics/blog/bens-book-of-the-month-review-of-social-engineering-the-science-of-human-hacking | access-date=22 January 2020}}</ref><ref name="ethical">{{cite news | title=Book Review: Social Engineering: The Science of Human Hacking | website=The Ethical Hacker Network | date=26 July 2018 | url=https://www.ethicalhacker.net/features/book-reviews/book-review-social-engineering-the-science-of-human-hacking/ | access-date=22 January 2020 | archive-date=12 November 2020 | archive-url=https://web.archive.org/web/20201112042818/https://www.ethicalhacker.net/features/book-reviews/book-review-social-engineering-the-science-of-human-hacking/ | url-status=dead }}</ref><ref name="Isaca">{{cite web | last1=Hadnagy | first1=Christopher | last2=Fincher | first2=Michele | title=Phishing Dark Waters: The Offensive and Defensive Sides of Malicious E-mails | website=ISACA | date=22 January 2020 | url=https://www.isaca.org/Journal/archives/2016/volume-2/Pages/phishing-dark-waters-the-offensive-and-defensive-sides-of-malicious-e-mails.aspx | access-date=22 January 2020}}</ref>

=== Required training === The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to implement a security awareness and training program for all members of their workforce, including training on procedures for guarding against, detecting, and reporting malicious software, as well as monitoring log-in attempts and reporting discrepancies (45 CFR 164.308(a)(5)).<ref>{{cite web |title=Security Standards: Administrative Safeguards |url=https://www.hhs.gov/hipaa/for-professionals/security/guidance/administrative-safeguards/index.html |publisher=U.S. Department of Health and Human Services |access-date=2026-03-31}}</ref><ref name="StatPearls-HIPAA">{{cite book |last1=Edemekong |first1=Peter F. |last2=Annamaraju |first2=Parvathi |last3=Haydel |first3=MJ |title=Health Insurance Portability and Accountability Act |url=https://www.ncbi.nlm.nih.gov/books/NBK500019/ |work=StatPearls |publisher=StatPearls Publishing |date=2024 |pmid=29763195 |access-date=April 3, 2026}}</ref> The U.S. Department of Health and Human Services has identified social engineering, particularly phishing, as the leading initial attack vector in healthcare data breaches reported under the HIPAA Breach Notification Rule.<ref>{{cite web |title=Breaches Affecting 500 or More Individuals |url=https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf |publisher=U.S. Department of Health and Human Services |access-date=2026-03-31}}</ref> The December 2024 Notice of proposed rulemaking (NPRM) to overhaul the HIPAA Security Rule proposed strengthening anti-social-engineering defenses by requiring simulated phishing exercises, mandating multi-factor authentication for all access to electronic protected health information, and implementing technical controls to detect and block malicious communications.<ref>{{cite web |title=HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information |url=https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information |work=Federal Register |date=2025-01-06 |access-date=2026-03-31}}</ref><ref name="HHS-NPRM-factsheet">{{cite web |title=HIPAA Security Rule Notice of Proposed Rulemaking – Fact Sheet |url=https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html |publisher=U.S. Department of Health and Human Services |access-date=April 3, 2026}}</ref>

The Payment Card Industry Data Security Standard (PCI DSS) requires organizations to implement a formal security awareness program that educates personnel about social engineering threats, including phishing and pretexting, upon hire and at least annually thereafter (Requirement 12.6).<ref>{{cite web |title=PCI DSS Quick Reference Guide |url=https://www.pcisecuritystandards.org/document_library/ |publisher=PCI Security Standards Council |access-date=2026-03-31}}</ref>

==See also== *Advance-fee scam *Phishing *Pretexting

==References== {{Reflist}}

==Further reading== {{refbegin|2}} * Boyington, Gregory. (1990). 'Baa Baa Black Sheep' Published by Gregory Boyington {{ISBN|0-553-26350-1}} * Harley, David. 1998 ''[http://smallbluegreenblog.files.wordpress.com/2010/04/eicar98.pdf Re-Floating the Titanic: Dealing with Social Engineering Attacks] {{Webarchive|url=https://web.archive.org/web/20160922222220/http://smallbluegreenblog.files.wordpress.com/2010/04/eicar98.pdf |date=22 September 2016 }}'' EICAR Conference. * Laribee, Lena. June 2006 ''[http://faculty.nps.edu/ncrowe/oldstudents/laribeethesis.htm Development of methodical social engineering taxonomy project]'' Master's Thesis, Naval Postgraduate School. * Leyden, John. 18 April 2003. ''[https://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/ Office workers give away passwords for a cheap pen]''. The Register. Retrieved 2004-09-09. * Mann, Ian. (2008). ''Hacking the Human: Social Engineering Techniques and Security Countermeasures'' Published by Gower Publishing Ltd. {{ISBN|0-566-08773-1}} or {{ISBN|978-0-566-08773-8}} * Mitnick, Kevin, Kasperavičius, Alexis. (2004). ''CSEPS Course Workbook''. Mitnick Security Publishing. <!-- Is there an ISBN? --> * Mitnick, Kevin, Simon, William L., Wozniak, Steve,. (2002). ''The Art of Deception: Controlling the Human Element of Security'' Published by Wiley. {{ISBN|0-471-23712-4}} or {{ISBN|0-7645-4280-X}} * Hadnagy, Christopher, (2011) ''Social Engineering: The Art of Human Hacking'' Published by Wiley. {{ISBN|0-470-63953-9}} * N.J. Evans. (2009). "Information Technology Social Engineering: An Academic Definition and Study of Social Engineering-Analyzing the Human Firewall." Graduate Theses and Dissertations. 10709. https://lib.dr.iastate.edu/etd/10709 * Z. Wang, L. Sun and H. Zhu. (2020) "Defining Social Engineering in Cybersecurity," in IEEE Access, vol. 8, pp. 85094-85115, doi:10.1109/ACCESS.2020.2992807. {{refend}}

==External links== {{Commons category|Social engineering (security)}} *[https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=891b1f29-e2e7-4484-89c0-a2137ee82f8b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments Social Engineering Fundamentals] – ''Securityfocus.com''. Retrieved 3 August 2009. *{{cite web |url=http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1 |archive-url=https://web.archive.org/web/20060713134051/http://www.darkreading.com/document.asp?doc_id=95556&WT.svl=column1_1 |archive-date=13 July 2006 |title=Social Engineering, the USB Way |publisher=Light Reading Inc |date=7 June 2006 |url-status=dead |access-date=23 April 2014}} *[http://www.darknet.org.uk/2006/03/should-social-engineering-a-part-of-penetration-testing/ Should Social Engineering be a part of Penetration Testing?] – ''Darknet.org.uk''. Retrieved 3 August 2009. *[http://www.epic.org/privacy/iei/sencomtest2806.html "Protecting Consumers' Phone Records"], Electronic Privacy Information Center ''US Committee on Commerce, Science, and Transportation''. Retrieved 8 February 2006. *Plotkin, Hal. [https://web.archive.org/web/20061012064802/http://www.plotkin.com/blog-archives/2006/09/memo_to_the_pre.html Memo to the Press: Pretexting is Already Illegal]. Retrieved 9 September 2006.

{{Information security}} {{Authority control}}

{{DEFAULTSORT:Social Engineering - Information Security}} Category:Social engineering (security) Category:Cybercrime Category:Deception