How do you define “social engineering”?
Social engineering is “any action that influences a person to take
an action that may or may not be in their best interests.” This is
a broad definition, but I use it because I don’t always see social
engineering activity as negative. Even if we don’t realize it or label
it social engineering, we use these skills every day communicating and interacting with everyone.
How does social engineering fit with cybersecurity?
Social engineering is broken into four basic vectors: Phishing,
Vishing, SMShing and Impersonation. “Phishing” refers to
email-based attacks to get you to click a link, open an infected
file attachment or just offer up some valuable information in
reply. “Vishing” is short for “voice phishing” or a phone-based
attack involving a conversation between attacker and target.
“SMShing” refers to SMS or text-based attacks—similar to vishing, but via texting. “Impersonation” is an in-person attack
where the attacker pretends to be someone they are not. I’ll say
again though that all of these social engineering vectors can be
exploited for positive or negative results, depending on the
intent of the attacker. Professionals need to know how each of
these vectors work in order to protect and advise their clients.
Are social engineering attacks becoming more advanced?
Yes, more common and more sophisticated. Especially when it
comes to phishing and SMShing, attacks are becoming much
more realistic and hard to identify. Whereas we used to tell
people to look for misspellings or strange grammar, attackers
are using spell check and being more careful crafting their
messages. What used to be easy telltale signs of a malicious
message are no longer there.
hris Hadnagy is founder and chief executive officer of Social-Engineer, LLC. With more than 17
years of experience as a practitioner and researcher in the security field, he works to expose
social engineering as the top threat to organizational security. We caught up with him in
advance of his keynote presentation for the 2018 NTCA Cybersecurity Summit.
a Social Engineer
A Q&A With Chris Hadnagy
Mark Marion is
director of training
at NTCA–The Rural
Contact him at
How might someone use social engineering to attack a
Off the top of my head, here are two:
1) The executive assistant at the telco receives an email from
what appears to be the general manager telling them to send a
wire transfer or gift card information or some type of easily
accessible funds. The email looks like it is coming from the GM’s
address and even includes their standard signature. It often
arrives during a time the GM is traveling or away from the office
for an extended period of time. This phishing attack is called a
BEC (Business Email Compromise) scam. In the past five years,
78,000 attacks have resulted in a total of $12 billion in losses.
2) An employee receives a call from someone posing as tech
support for one of their third-party vendors. They are informed
about an urgent threat and told to reset their password right
away. The “tech” walks them through the entire process and in
turn now has full access to their account. The victim doesn’t
even know they have been attacked. In fact, they think they have
helped in thwarting an attack. We use this type of attack on a
daily basis, and it is highly effective.
Who are the people behind these attacks, and what might
their motivations be?
It can be anyone really. Maybe someone from a different country
with a ruined economy looking for a quick score of cash. Maybe
your neighbor seeking some sort of revenge. Maybe someone
who is bored and just looking to see what they can get away
with. Attackers do not fit any one particular profile, and their
motivations vary widely.