Cybernexum Logo

The Art of Social Engineering and How to be Cyber Street Smart

By Cybernexum Intel
Social EngineeringAwarenessHuman FactorCybersecurity

The Art of Social Engineering: Defense in Depth for 2025 and Beyond

Social engineering attacks exploit human trust and urgency to bypass technical security. In mid-2025, a wave of breaches against major retailers (e.g. Marks & Spencer, Harrods) highlighted Scattered Spider (UNC3944), a criminal group using advanced social-engineering campaigns. Earlier campaigns like “BazarCall” (callback phishing) show how simple lures can be weaponized by trained operators. These attacks (via email, phone or text) rely on authoritative pretexts (CEO/CIO calls, fake invoices, expiring subscriptions) to trick employees into divulging credentials or installing malware. As one analyst notes, attackers now “exploit human trust” with typosquatted domains and phishing kits (e.g. Evilginx) to bypass even MFA. Defenders must therefore build robust policies and training programs – a true “human firewall” – to counter these tactics.

Scattered Spider (2025) – Social-Engineering by Design

Scattered Spider is a hacking collective notorious for targeting IT help desks and service providers. Their playbook combines phishing and vishing with careful reconnaissance. For example, researchers found attackers use LinkedIn and commercial data to profile key employees, then impersonate trusted staff over phone or email. A common ruse: a help-desk agent gets a panicked call from someone “speaking like the CFO,” urgently asking for a password reset or MFA reconfiguration. Under this pressure, even vigilant staff may comply. Once an account is compromised, Scattered Spider moves laterally to deploy ransomware.

Key tactics include:

  • Impersonation & Phishing: Scattered Spider sets up typosquatted domains mimicking VPN, SSO or support sites (about 81% of its domains imitate tech vendors) to harvest admin credentials. They use phishing kits like Evilginx that proxy real login pages, capturing session cookies and bypassing MFA.
  • MFA Bypass: They exploit “push bombing” – sending repeated bogus MFA prompts until a user angrily approves one – and recruit fluent English-speaking callers to spoof executives over voice or video.
  • Supply-Chain Focus: By breaching one MSP or contractor (e.g. Tata Consultancy Services), they leverage “one-to-many” access to dozens of client networks at once.

These methods give Scattered Spider a high success rate: they’ve expanded from basic SIM-swaps to sophisticated social-engineering alliances with ransomware gangs. In short, the group targets people, not just machines – a warning that no organization, however well-defended, is immune to a crafty human-centric attack.

BazarCall “Callback” Phishing

Another instructive scenario is callback phishing. First seen in the Ryuk/Conti ransomware era, BazarCall emails carry no malicious links or attachments. Instead they pose as legitimate notices (expiring trials, purchase receipts, billing issues) and instruct the reader to call a given phone number. When the target dials in, they reach a live scammer posing as tech support. That person then provides step-by-step guidance to install malware or steal data.

Because these emails lack the usual red flags (no hidden links or files), many defenses miss them. As HC3 explains, users trained only to avoid “clickable” phishing may still trust such a message and dial the number. Once on the phone, the attacker leverages all kinds of pretexts and psychological pressure to dupe the caller. In essence, callback phishing leverages a human-to-human interaction to bypass firewalls and filters entirely. Public-sector and healthcare organizations have been specifically warned about this evolved tactic, since it “exploits the human factor” and continuously adapts its social lures.

Two Scenarios, One Lesson

These cases highlight two ends of the social-engineering spectrum:

  • Inbound Deception (Scattered Spider style): The attacker contacts or spoofs an internal helpdesk or executive, using context and authority to trick staff into granting access.
  • Outbound Deception (BazarCall style): The victim is lured into calling the attacker via a seemingly official message, then manipulated step-by-step on the phone.

Both rely on blending in with trusted processes. Notably, attackers now research their targets in advance and tailor each approach. For example, forums have ads seeking native-English “lead generators” to play roles with regional accents, ensuring every word sounds credible. The core lesson: it’s often easier for hackers to trick a person than to break a network. As one analyst puts it, social engineering is “at the heart” of Scattered Spider’s operation.

Defense-in-Depth: Policies and Training

Building resilience against social engineering means combining people, process and technology. A mature security posture treats human factors like any other vulnerability. As Crowe notes, even the best technical controls need the backstop of strong policies and training. The goal is to limit every potential abuse point:

  • Strict Verification Policies: Require out-of-band confirmation for any sensitive request. Maintain an up-to-date list of official contact numbers for vendors and executives and always use those (never the one in a suspicious email). For example, if a finance user emails a changed invoice, the payment team should call the vendor’s known number to confirm the update, no matter what the email says. Similarly, help-desk techs should verify callers with multi-factor ID checks: ask for employee IDs, recent login details or a pre-arranged code word (not easily found on social media) before resetting passwords or registering new devices. Policies should also limit authority: only designated personnel may approve high-impact actions, and any request (especially for privileged accounts) should trigger an authorization protocol.

  • Robust Incident Procedures: Establish clear steps if an attack is suspected. For instance, policy can mandate that all denied or unusual access requests are logged and escalated. Maintain a process (e.g. a ticket system or help-desk chat channel) for reporting persistent social-engineering attempts. Train staff to immediately isolate or disable accounts if a compromise is suspected (ReliaQuest advises playbooks to kill active sessions and reset credentials the moment fraud is detected). The plan should also assign 24/7 monitoring (or an MDR service) to catch odd behavior at nights/weekends, and mandate regular drills (tabletops with social-engineering scenarios) to keep teams sharp.

  • Finance and Data Controls: Pay particular attention to money transfers and data requests, which are common social-engineer goals. Finance teams should use dual controls for payments, always verifying any banking detail change with an independent channel. Any large fund transfer or purchase of gift cards must be validated by leadership in person or via encrypted channels. For sensitive data, disallow ad-hoc email sharing – use secure file portals with audit trails and data-loss-prevention (DLP) tools. (Crowe warns that simple attachments invite frauds and tracking problems.) In summary, build authorization checkpoints into workflows so that no single employee can act on a suspicious request without cross-checking.

  • Support and Culture: Ensure employees know they won’t be punished for following security protocols, even if it slows business. Empower them: if something feels off, they should feel safe to pause and verify. Make security awareness part of the culture. As Crowe concludes, written, regularly reviewed policies (not just one-off training) are critical for lasting defense.

User Training and Awareness

A vigilant, well-trained workforce is the last line of defense. Training should be continuous, varied, and realistic:

  • Simulations and Drills: Conduct frequent phishing and vishing simulations that mimic current threats (e.g. bogus “urgent request” emails and callback lures). Training company-wide shows people exactly what tactics look like. Also run help-desk penetration tests: have a red team phone your own IT staff using an approved script to see if protocols are followed. Immediate feedback helps reinforce correct behavior.

  • Role-Based Training: Tailor exercises for high-risk groups. Teach finance and accounting teams to double-check invoice or payment requests (and to recognize spear-phishing nuances). Help-desk staff need extra instruction on verifying identities and resisting pressure. For example, emphasize they should never approve an unexplained MFA prompt – Coalition recommends explicitly training employees to reject any unexpected MFA push and to report it.

  • Storytelling and Updates: Use real case studies in training (e.g. “the CEO texted me” frauds or the BazarCall script) so staff can relate. Remind everyone that attackers often prey on emotions like fear or curiosity – an urgent, angry-sounding caller or a tempting “free trial” offer should ring alarm bells. Update the team on emerging scams: for instance, warn about “AI-deepfake” voice calls that imitate executives, or crafty callback emails with no links. This awareness helps people pause and think, breaking the attack chain.

  • Broad Awareness: Training should cover all channels. Remind staff that social engineering can arrive by email, phone, SMS or even a knock on the door. Encourage verification of anyone claiming to be from IT, a vendor, or even the CEO’s assistant. As one public advisory notes, “be suspicious of unsolicited calls, visits, or emails from unknown individuals… and verify the caller’s identity directly with the company”.

Technical Layers (Supporting Measures)

Technical controls complement people-based defenses:

  • Modern MFA: Use stronger multi-factor systems. Replace one-touch “approve/deny” apps with context-aware MFA – e.g. number-matching or hardware security keys – to defeat push-bombing and phishing proxies. Disable legacy authentication that can’t enforce MFA. Set alerts for multiple failed or repeated MFA tries, as these may signal “MFA fatigue” attacks.

  • Email and Domain Security: Enforce strict email authentication (SPF, DKIM, DMARC) to block spoofed senders. Deploy advanced email filtering that analyzes text and attachments. Use threat intelligence or Digital Risk Protection services to monitor for lookalike domains (ReliaQuest suggests scanning for any new domain containing keywords like your company or vendors). If possible, automatically quarantine messages from newly registered domains or mismatched addresses.

  • Endpoint and Network Monitoring: Endpoint protection (EDR) can catch malicious downloads if a callback-prompted program is executed. Network monitoring should flag unusual connections (e.g. to a random IP after an employee clicks a link). ReliaQuest recommends hunting for network traffic to domains tied to these campaigns. Equally, 24/7 Security Operations (via SOC or MDR) ensures that off-hours attacks are spotted – many social-engineers pick nights or weekends for maximum stealth.

  • Access and Privilege Controls: Enforce least-privilege for all accounts. Require that all vendor and contractor accounts have MFA and only minimal necessary access. Audit third-party access regularly, and revoke old accounts promptly. (If a vendor is compromised, attackers exploit it exactly like Scattered Spider did with Tata Consultancy Services.)

Continuous Improvement

No plan is perfect on the first try. Regularly review and refine both training and policies. Track metrics (phish click rates, reported suspicious calls, help-desk compliance) and adjust. Security teams should test processes end-to-end – for example, intentionally feeding a fake invoice into the workflow to see if finance catches it. Importantly, encourage feedback: if a policy causes repeated workflow issues, tweak it so employees don’t start bypassing it. Remember Crowe’s advice: effective policies are those people actually follow.

Conclusion

Social engineering is an art that will only get more elaborate. In 2025, groups like Scattered Spider show that human manipulation can be as dangerous as any zero-day exploit. The antidote is defense-in-depth with a focus on the human layer: robust verification policies, relentless user education, and vigilant monitoring. By investing in comprehensive training and security procedures now – as Cybernexum and other experts advocate – organizations (especially government agencies protecting critical data) can turn the tables on attackers. After all, if “humans are your biggest vulnerability,” then empowering humans to resist these attacks is your strongest defense.

Sources: Industry reports and advisories on social-engineering campaigns.