← All sample lessons

Shared lesson

Understanding Social Engineering: Hacking the Human

60 min · 1.1

Objective

Students will identify and classify social engineering techniques (phishing, spear phishing, pretexting, vishing, smishing, baiting, tailgating) in realistic scenarios, explain the psychological principle each exploits, and map the attack to the CIA triad element it threatens.

Hook

5 min

Open with the 2020 Twitter Bitcoin hack. Tell students: on July 15, 2020, attackers took over the Twitter accounts of Barack Obama, Elon Musk, Joe Biden, Apple, and Uber and tweeted a Bitcoin scam that netted about $118,000 in a few hours. Ask: what tool do they think the attackers used — a zero-day exploit? A password cracker? Take 2–3 guesses, then reveal: attackers called Twitter employees on the phone, pretended to be internal IT, and talked them into entering their credentials on a fake VPN login page. No malware. No exploit. Just a phone call. Ask the class: 'If Twitter's engineers fell for it, what does that tell us about who is vulnerable?' Land the point: the attack surface today is human, and this course starts there.

Direct instruction

  1. 5m

    Defining social engineering and the human attack surface

    Content

    Social engineering is the practice of manipulating people, rather than exploiting software, to gain unauthorized access, information, or actions. Every organization has two attack surfaces: a technical one (servers, code, network) and a human attack surface — every employee who can be persuaded to click, share, or open a door. In the 2023 MGM Resorts breach, attackers spent about 10 minutes on the phone with the IT help desk impersonating an employee whose profile they'd scraped from LinkedIn; MGM lost an estimated $100 million. There was no software vulnerability — the vulnerability was a help-desk process that trusted a voice. Frame this against the CIA triad: confidentiality (attackers read data they shouldn't), integrity (they alter records, send tweets, wire money), availability (ransomware locks systems). Social engineering can compromise all three, starting from one human decision.

    Delivery

    Emphasize the phrase 'the human attack surface' — students will hear it again in every unit. The slide shows the attack lifecycle diagram (reconnaissance → pretext creation → contact → exploitation → exit); walk through it using MGM as the concrete example: LinkedIn scraping = reconnaissance, 'I'm Bob from finance and I'm locked out' = pretext, phone call = contact, password reset = exploitation. Pre-empt the misconception right here: ask 'How much technical skill did the MGM attackers need?' Correct answer — almost none. The tool was a phone. Cybersecurity is not just a coding problem.

  2. 6m

    The psychological levers: authority, urgency, scarcity, trust, reciprocity

    Content

    Attackers don't hack computers; they hack cognitive shortcuts. Robert Cialdini's influence principles map directly onto social engineering. Authority: people comply with perceived legitimate power — 'This is the CFO, I need this wire sent now.' Urgency and scarcity: a tight deadline suppresses careful thinking — 'Your account will be locked in 15 minutes.' Trust and liking: people help those who seem familiar, friendly, or from the same in-group — 'Hey, it's Sarah from the Denver office.' Reciprocity: a small favor creates a felt obligation — an attacker holds a door open for you, then asks you to hold one for them. Fear works with urgency ('IRS is filing suit'), and curiosity powers baiting ('Q4_Layoffs.xlsx'). These levers work because they exploit System-1 thinking — fast, automatic decisions — before System-2 analytical thinking can kick in. That's why training matters: it forces a pause.

    Delivery

    The slide shows a quadrant chart mapping channels (email, SMS, voice, physical) against the psychological principle each typically exploits — walk through one cell per corner (email × urgency = phishing deadline; voice × authority = CFO fraud; SMS × scarcity = 'last chance' delivery text; physical × reciprocity = tailgating with coffee). Ask students to name a time they felt an urgency lever pushed on them (Amazon 'only 2 left,' TikTok limited drops). This normalizes the idea that these levers work on smart people — head off the misconception that 'only careless people fall for this.' Well-trained professionals are targeted precisely because they have access.

  3. 5m

    The channels: phishing, spear phishing, vishing, smishing, baiting, tailgating, pretexting

    Content

    Social engineering is delivered across every channel humans use. Phishing is broad-cast email — one message blasted to thousands, playing the odds. Spear phishing is personalized: the attacker has researched one specific target and references their real projects, coworkers, or vendors. Whaling is spear phishing aimed at executives. Vishing is voice-based (MGM, Twitter 2020). Smishing is SMS-based — the 'USPS package undeliverable' texts everyone gets. Baiting uses an enticing object — the classic dropped-USB-drive attack, where an attacker leaves labeled USB sticks in a parking lot; a 2016 University of Illinois study found 45% of dropped drives were plugged in. Tailgating is physical — following an authorized person through a badge door. Pretexting isn't a channel — it's the fabricated story that runs through all of them: the invented identity and reason for asking. Every real attack combines a channel with a pretext and one or more psychological levers.

    Delivery

    The slide displays the channel × principle quadrant chart. Move fast — this is a taxonomy, not a deep dive; the activity will exercise it. Do drill the distinction between phishing and spear phishing hard, because students conflate them: phishing is spam-scale and generic ('Dear Customer'), spear phishing is a sniper shot with your real name, real boss, real project. Show the difference with two example subject lines: phishing = 'Your Netflix subscription has expired'; spear phishing = 'Re: Draft budget for the Henderson account — quick question before your 2pm.'

  4. 4m

    Mapping social engineering to the CIA triad

    Content

    Every social engineering outcome damages one or more parts of the CIA triad. A credential-harvesting phishing page that captures a user's Office 365 password breaks confidentiality — an unauthorized party can now read email. A business-email-compromise attack that convinces accounts payable to redirect a wire transfer breaks integrity — the transaction record is falsified. A vishing call that tricks a help-desk agent into resetting an admin's MFA can enable a ransomware deployment that breaks availability — the entire hospital's systems go offline. The 2020 Universal Health Services ransomware, which started with phishing, took 400 hospitals offline for weeks — a pure availability attack rooted in a human decision. Learning to name which leg of the triad an attack threatens is how AP graders and real analysts think about impact.

    Delivery

    This is the analytical move students will do on the exam. Give them a quick call-and-response: 'Attacker steals your password and reads your email — which leg?' (Confidentiality.) 'Attacker changes the wire routing number — which leg?' (Integrity.) 'Attacker deploys ransomware — which leg?' (Availability.) Emphasize that one attack can hit multiple legs; the AP-quality answer names the primary impact and justifies it.

Activities

  1. 18m

    Phishing Forensics: Annotate Four Real-Style MessagesLab

    Students work in pairs. Each pair receives the four messages below and annotates every red flag they find, then classifies each message by (a) channel, (b) technique (phishing / spear phishing / vishing transcript / smishing / baiting), (c) primary psychological lever, and (d) primary CIA triad element at risk. Pairs then share one message with the class in the last 4 minutes. Walk around and check: are students catching the domain-lookalike tricks (rn vs m, .co vs .com, subdomain deception like paypal.security-verify.com)? Are they distinguishing phishing from spear phishing based on personalization, not just quality? Student handout: Message 1 — Email From: IT-Support <it-suport@companymail-verify.com> To: all-staff@company.com Subject: URGENT: Mailbox will be deactivated in 24 hours Dear User, Our records indicate your mailbox has exceeded its storage quota and will be deactivated within 24 hours if action is not taken. To retain access, please verify your credentials immediately by clicking below. [Verify My Account] → http://companymail-verify.com/login Failure to act will result in permanent loss of email. Thank you, IT Support Team Message 2 — Email From: Marcus Chen <marcus.chen@nothernrail-consulting.com> To: jamie.rivera@acme-logistics.com Subject: Re: Henderson RFP — one quick change before Thursday Hi Jamie, Great call yesterday. I made the edits to section 4 of the Henderson RFP we discussed and attached the revised version. Can you review before your 2pm with Dana? I need your sign-off tonight so procurement can lock it in. Attachment: Henderson_RFP_v3_FINAL.docm Thanks, Marcus Message 3 — SMS From: +1 (747) 227-0413 'USPS: Your package #1Z884A cannot be delivered due to an incomplete address. Please update within 12 hours to avoid return to sender: usps-redelivery.info/verify' Message 4 — Vishing transcript Caller: 'Hi, this is David from Cisco Premium Support. We've detected malicious outbound traffic from your workstation — it looks like your machine may be part of a botnet. I need to remote in and quarantine it before it spreads to the rest of your network. Can you go to fastsupport-remote.com and give me the 6-digit code on the screen? We need to move quickly — if this hits your file server, you're looking at a full rebuild.' Expected classifications (for teacher reference): - Message 1: email · phishing · urgency + authority · confidentiality (credential harvest). Red flags: misspelled 'suport,' lookalike domain, generic greeting, mismatched link, 24-hour deadline. - Message 2: email · spear phishing · trust/familiarity · integrity + confidentiality. Red flags: lookalike domain 'nothernrail' (missing 'r'), .docm macro-enabled file, references to real project (recon), assumed rapport ('great call yesterday'). - Message 3: SMS · smishing · urgency + curiosity · confidentiality. Red flags: unknown number, sketchy TLD .info, 12-hour deadline, USPS doesn't text unsolicited. - Message 4: voice · vishing (with pretexting) · authority + fear + urgency · availability + confidentiality. Red flags: unsolicited call, cold remote-access request, fear escalation, unverified 'Cisco' identity.

    Materials

    • Student computers with a text editor or Google Docs
    • Printed or digital copy of the four messages below
    • Highlighters or digital annotation tool
    Example outputs
    • Message 1 annotated: 'URGENT' + 24-hour deadline = urgency lever; 'it-suport' misspelling and 'companymail-verify.com' domain = spoofed sender; generic 'Dear User' = broad-cast phishing (not spear phishing); goal = credential harvesting → confidentiality breach.
    • Message 2 annotated: sender domain 'nothernrail' is missing an 'r' from 'northernrail'; .docm attachment executes macros; references a real project name = reconnaissance done; leverages trust; classified as spear phishing threatening integrity (falsified RFP) and confidentiality (macro payload).
  2. 8m

    Rewrite Attack → Legitimate: The Discriminator TestLab

    Pairs pick Message 1 OR Message 2 from the Phishing Forensics activity and rewrite it as a legitimate version of the same communication that the real IT department or real vendor would actually send. They must then produce a bulleted list of every change they made and label WHY each change removes a manipulation signal. The goal is that by rewriting, students internalize the discriminator features of a legitimate message vs. a manipulative one. Debrief: ask two pairs to project their rewrites and defend the changes. Push back if a change is cosmetic ('I fixed the typo') without addressing the underlying manipulation — the point is not spelling, it's structural signals of legitimacy (verified sender domain, no artificial deadline, no credential prompt via link, an out-of-band verification path). Expected discriminator changes for Message 1: sender becomes it-support@company.com (real primary domain, not a lookalike); greeting uses the recipient's actual name; removes 24-hour countdown; does not ask for credentials via a link, instead directs user to log in through the normal portal they already know or to contact the help desk at a published extension; removes 'URGENT' framing.

    Materials

    • Student computers
    • Message 1 or Message 2 from the previous activity
    Example outputs
    • Legitimate rewrite of Message 1: sender = it-support@company.com; greeting = 'Hi Jamie,'; body notes storage is at 92% and asks user to clean up at their convenience over the next two weeks, with a link to internal documentation on how to archive; no credential entry, no countdown, signed with a named person + extension. Change list: (1) fixed sender to real primary domain — no lookalike spoofing; (2) removed 24-hour deadline — no artificial urgency; (3) removed credential-entry link — legitimate IT never asks you to re-enter your password via email link; (4) named a real person with a callback number — enables out-of-band verification.
    • Legitimate rewrite of Message 2: sender = marcus.chen@northernrail-consulting.com (correct spelling); attachment is .pdf not .docm; body references the shared project folder path instead of an inline attachment; asks Jamie to reply confirming she received it. Change list: (1) correct sender domain — no typosquatting; (2) non-executable file type — .pdf can't run macros; (3) uses known shared drive — leverages existing trusted channel, not a new attachment; (4) invites reply-confirmation — creates a verification loop.

Formative assessment

9 min
  1. A hospital's accounts-payable clerk receives a phone call. The caller says: 'This is Dr. Patel's assistant — Dr. Patel is in surgery and needs the vendor payment to Meditech pushed today. He asked me to give you the new routing number: 021000021, account 4471998. Can you make the change now? He's going to be furious if this is late again.' Which social engineering technique is described, and which CIA triad element is primarily threatened? A) Smishing; Availability B) Vishing with pretexting; Integrity C) Baiting; Confidentiality D) Tailgating; Availability

    multiple choiceB) Vishing with pretexting; Integrity. It's a phone call (vishing) with a fabricated identity/story (pretexting as Dr. Patel's assistant), using authority + urgency + fear of anger. The primary CIA impact is Integrity — the attacker is altering the transaction record by changing the routing number, causing funds to be sent to the wrong account. (Confidentiality is a defensible secondary answer if justified, but the direct outcome is a falsified payment.)
  2. Explain in 2–4 sentences why the 'authority' principle is such an effective lever in social engineering. Give one concrete example of an attacker using authority, and identify which CIA element is most likely at risk.

    short answerAuthority works because humans are trained from childhood to comply with legitimate power (bosses, doctors, police, IT) without demanding proof — questioning authority feels socially costly and slow. Attackers exploit this by impersonating someone with organizational power so the target complies before verifying. Example: an attacker calling the help desk claiming to be the CFO who needs an urgent password reset for an offsite meeting. Primary CIA risk: confidentiality (the attacker gains access to email/systems and can read protected data) — with integrity as a secondary risk if they then send fraudulent messages from that account.
  3. A colleague forwards you an email and asks whether it's phishing or spear phishing. The email is addressed to her by name, references her direct manager, mentions the Q3 client audit she is actually running, and comes from an address that looks almost identical to her manager's — one letter is different. List three concrete indicators that drove your classification and state which classification you chose.

    short answerClassification: spear phishing. Indicators: (1) The message is personalized to one specific target — uses her name, not 'Dear User' — which requires per-target reconnaissance; (2) It references real, internal, non-public context (her manager by name, the Q3 client audit she is actually running) — the attacker has done recon on her role and current work; (3) The sender is a lookalike domain of her real manager (typosquatting) — a targeted impersonation of a known trusted party, not a broad-cast spoof. Generic phishing would use a mass greeting, no personal context, and impersonate a well-known brand rather than a specific coworker.

Vocabulary

social engineering
The practice of manipulating people — not software — into revealing information, granting access, or taking actions that compromise security.
phishing
A broad-cast fraudulent message (usually email) designed to trick many recipients into clicking a malicious link, opening a file, or handing over credentials.
spear phishing
A phishing attack researched and personalized for one specific target, using their name, role, coworkers, or current projects to appear legitimate.
pretexting
Building a fabricated backstory or role (e.g., IT technician, auditor, delivery driver) to justify a request and lower the target's suspicion.
vishing
Voice-based social engineering conducted over a phone call, often spoofing caller ID to appear as a bank, help desk, or executive.
smishing
SMS/text-message social engineering, typically using a short urgent message and a shortened link to a credential-harvesting page.
baiting
Leaving or offering something enticing — a USB drive, a free download, a gift card link — that delivers malware or captures credentials when used.
tailgating
Following an authorized person through a physical access point (a badge-locked door) without presenting credentials, often aided by social cues like carrying boxes.
credential harvesting
The end goal of many social engineering attacks: capturing usernames, passwords, MFA codes, or session tokens for later use.
CIA triad
The three core security properties — Confidentiality (who can read data), Integrity (data is unaltered), Availability (systems are reachable when needed).

Common misconceptions

  • 'Social engineering requires advanced hacking tools.' Wrong — the MGM 2023 attack and the 2020 Twitter Bitcoin hack both used ordinary phone calls with no malware. The 'tool' is a convincing story plus knowledge of human trust cues. Coding skill is largely irrelevant to most successful social engineering.
  • 'Phishing only arrives by email.' Wrong — phishing is a family that includes smishing (SMS), vishing (voice), and in-person pretexting. Attackers pick the channel where the target is least defended; SMS and voice often bypass corporate email filters entirely.
  • 'Only careless or uneducated people fall for social engineering.' Wrong — attackers deliberately target well-trained employees with high access (help-desk staff, sysadmins, finance officers, executive assistants) because the payoff is larger. The 2020 Twitter attack succeeded against engineers with security training. Everyone is vulnerable under the right pretext, especially under time pressure.
  • 'Spear phishing is just higher-quality phishing.' Wrong — the difference is targeting and reconnaissance, not polish. Phishing is broad-cast (millions of generic emails); spear phishing is one message crafted for one target using their real name, coworkers, projects, and vendors. A well-written phishing email is still phishing if it's sent to thousands; a plain-text email is still spear phishing if it references your specific pending RFP.

Materials checklist

  • Student computers with browser + text editor (Google Docs or similar)
  • Projector for slide deck
  • Printed or digital copies of the four Phishing Forensics messages (one per pair)
  • Highlighters (if using printed handouts)
  • Timer visible to the class