Social Engineering Attack Playbook: Vishing, Smishing, and Pretexting
A detailed breakdown of the five most common social engineering attack types, the psychological principles that make them effective, and the technical and human controls organizations can use to defend against them.
Social engineering attacks succeed not because they exploit software vulnerabilities but because they exploit the most complex and least patchable system in any organization: human psychology. While technical controls form the backbone of security programs, they mean little when an employee is convinced by a convincing caller that they need to share their credentials to avoid account termination. Understanding how these attacks work — and more importantly, why they work — is essential to defending against them.
The Five Most Common Social Engineering Attack Types
1. Phishing
Phishing remains the dominant social engineering vector, used in the initial access phase of the majority of significant breaches. Modern phishing campaigns have evolved significantly from the mass-spray "Nigerian prince" emails of the early 2000s.
Spear phishing targets specific individuals using personalized context. An attacker targeting a finance employee might reference a specific invoice number found through OSINT on LinkedIn or a company's website. The Uber breach in 2022 began with an SMS phish sent to an employee; the attacker claimed to be IT security, told the employee their account had been compromised, and convinced them to provide their VPN MFA code.
Business Email Compromise (BEC) is a financially devastating variant. Attackers compromise or spoof an executive's email and instruct finance employees to wire funds or change payroll direct deposit information. The FBI's IC3 reported $2.9 billion in BEC losses in 2023 alone. These attacks often involve no malware whatsoever — just social pressure and urgency.
Adversary-in-the-Middle (AiTM) phishing uses reverse-proxy toolkits (Evilginx2, Modlishka) to capture session cookies and bypass MFA. The victim visits what appears to be a legitimate login page; the proxy relays their credentials to the real site and captures the authenticated session token. Even TOTP-based MFA is ineffective against this technique.
2. Vishing (Voice Phishing)
Vishing attacks use phone calls to manipulate victims. The rise of AI voice cloning has dramatically lowered the barrier to creating convincing impersonations.
IT helpdesk impersonation is the classic vector: a caller claims to be IT support and tells the employee their account has been compromised or will be locked unless they provide their password or install a "security update" (remote access tool). This technique was used extensively by the LAPSUS$ group.
Executive impersonation targets administrative staff — particularly executive assistants — with requests for wire transfers, gift card purchases, or confidential documents. An AI-cloned voice of the CFO is now a realistic threat.
Financial institution impersonation targets individuals with calls claiming to be their bank's fraud department, creating urgency around a fraudulent transaction that the victim must "confirm" by providing their card number and OTP.
3. Smishing (SMS Phishing)
SMS messages have higher open rates than email, and users are less conditioned to be suspicious of them. Common smishing attacks include:
- Package delivery notifications with tracking links that harvest credentials or deliver malware
- Bank fraud alerts requesting confirmation of a suspicious transaction
- Two-factor authentication abuse: After obtaining stolen credentials, attackers use smishing to convince victims to share OTP codes by impersonating the victim's bank or employer
4. Pretexting
Pretexting involves constructing a fabricated scenario (pretext) to extract information. This often involves impersonating someone with legitimate authority to request information: an auditor needing compliance records, a new vendor needing IT documentation, or a law enforcement officer seeking information about an account.
The Twitter/X breach of 2020 is a textbook example: attackers called Twitter employees claiming to be internal IT staff, convinced them to provide credentials to an internal VPN tool, and ultimately took over high-profile accounts including Barack Obama's and Elon Musk's.
5. Baiting and Quid Pro Quo
Baiting uses the lure of something desirable to get victims to take an action. USB drops in parking lots (laden with malware) remain surprisingly effective — a 2016 study found that 45–98% of dropped USB drives were plugged in by employees who found them.
Quid pro quo attacks offer a service in exchange for information — claiming to be a survey platform offering a gift card in exchange for completing a "security assessment" that collects sensitive information about the organization's systems.
Psychological Principles Attackers Exploit
Understanding why these attacks work helps design effective defenses. Attackers leverage documented psychological principles identified by Dr. Robert Cialdini:
Authority: People comply with requests from perceived authority figures. An attacker claiming to be the CISO, a federal agent, or a senior auditor gets compliance that an ordinary caller would not. The Uber attacker posed as IT security; the Twitter attackers posed as internal IT staff.
Urgency and Scarcity: "Your account will be locked in 30 minutes unless you act now" bypasses careful deliberation. The time pressure prevents victims from following verification procedures or consulting colleagues.
Social Proof: "Other employees have already done this" implies that the action is normal and safe. "I just finished a call with your colleague in accounting" establishes familiarity.
Liking and Rapport: Attackers who build brief rapport before making a request are more successful. A few minutes of friendly conversation establishes a relationship that makes refusal feel rude.
Reciprocity: Providing something of value first — information, help with a problem, a compliment — creates a social obligation to reciprocate.
Fear: Threats of consequences (account termination, legal action, public embarrassment) activate fight-or-flight responses that bypass rational evaluation.
Red Flags to Teach Employees
Security awareness training should focus on concrete, actionable behavioral cues rather than generic advice:
- Requests to bypass normal procedures — "Don't create a ticket for this, just handle it now"
- Requests for credentials — legitimate IT staff never need your password
- Urgency that prevents verification — "There's no time to verify, we need this now"
- Unusual requests from familiar people — your CFO's voice on a call requesting a wire transfer
- Requests for OTP codes — no legitimate service will ask you to read back an authentication code
- Caller ID that "confirms" identity — caller ID is trivially spoofed
- Requests to keep the interaction confidential — "Don't tell your manager about this"
Technical Controls
Caller ID Verification and STIR/SHAKEN
STIR/SHAKEN (Secure Telephone Identity Revisited / Signature-based Handling of Asserted Information Using toKENs) is a standards framework for authenticating caller ID in VoIP networks. Implemented broadly in US carrier networks since 2021, it assigns attestation levels (A, B, C) to calls. Calls without full attestation should be treated with additional skepticism, and telecom providers can flag or block them.
Out-of-Band Confirmation
Any request for sensitive action — wire transfer, credential sharing, account modification — should trigger out-of-band confirmation through a known, pre-established channel. If someone calls claiming to be the CFO requesting a transfer, you call the CFO back at their known phone number. Not a number provided by the caller. This single control defeats most vishing and BEC attacks.
FIDO2 / Passkeys
Hardware security keys (YubiKey) and passkeys using FIDO2 are phishing-resistant by design. The cryptographic challenge-response is bound to the origin (domain name), so AiTM proxy attacks and phishing sites cannot harvest usable credentials. Migrating privileged accounts to FIDO2 MFA is the most impactful technical control against phishing.
Email Authentication
DMARC with a p=reject policy prevents domain spoofing. Combine with DKIM signing and SPF with -all to close the primary technical vector for BEC email spoofing of your own domain.
Testing Your Organization
Passive awareness training has limited effectiveness. The most effective programs combine education with realistic simulation:
Phishing simulations using platforms like KnowBe4, Proofpoint Security Awareness, or open-source GoPhish send realistic phishing emails to employees and track click rates, credential submission, and reporting. Employees who click should receive immediate in-context training rather than punitive action.
Vishing simulations are rarer but highly effective — having professional social engineers call employees and attempt to extract credentials or sensitive information, then report on success rates by department and individual.
Physical security tests — tailgating attempts into secured areas, USB drop exercises, impersonation attempts in person — round out a comprehensive program.
Metrics to track over time: phishing click rate (target below 5%), credential submission rate (target near 0%), and report rate (percentage of phishing simulations reported to security, which should increase over time). A culture where employees feel safe reporting suspicious interactions — rather than embarrassed for nearly falling for an attack — is more valuable than any specific metric.