TechEarl

Social Engineering Attacks: The Complete Taxonomy

A practitioner's map of how attackers breach the human layer: phishing, spear-phishing, vishing, smishing, MFA fatigue, help-desk pretexting, business email compromise, and SIM swapping. How each works, the real breaches it caused, and how to defend against it.

Ishan Karunaratne⏱️ 14 min readUpdated
Share thisCopied
Every major social engineering technique: phishing, vishing, smishing, MFA fatigue, help-desk pretexting, BEC, SIM swap. How each works and how to defend.

Social engineering is the practice of manipulating people into giving up access or information, rather than breaking through technical controls. It is one of the most common ways real breaches start, because the human layer has no patch. An attacker who can talk a help-desk agent into resetting an account, or convince an employee to approve a login prompt, never has to find a software vulnerability at all. Verizon's annual Data Breach Investigations Report has put the human element in the majority of breaches for years running.

The discipline has a patron saint: Kevin Mitnick, the most famous social engineer there has been. Through the 1980s and 1990s he talked his way into telecom and technology companies with little more than a phone and a convincing story, then spent his later career, until his death in 2023, as a respected security consultant and author. His book The Art of Deception is the text that named the field, and his point throughout it is the thesis of this whole page: the human is the softest target, and it is almost always cheaper to ask than to hack. His pursuit and capture were dramatised in the 2000 film Takedown (released on US home video as Track Down); liberties and all, the ones Mitnick himself objected to included, it remains one of my favourite films, and it is the rare hacker movie that gets the social-engineering tradecraft more right than the keyboard-mashing.

This is the companion map to the web application security vulnerabilities taxonomy. That one covers code-layer attacks (SQL injection, XSS, RCE) where the bug is in the software. This one covers the human layer, where the bug is in the process, the trust, or the verification step. Every section is a single technique with a one-paragraph summary and, where one exists, a link to a real breach it caused.

A note on framing, the same one I use for the code-layer map: I cover how each attack works and how to defend against it with equal weight. You cannot train people against a technique you cannot describe, and you cannot design a verification process that resists pretexting if you have never watched a good pretext walk straight through a weak one.

Editorial illustration of social engineering: an elegant hand working marionette control bars whose strings descend onto a small crowd of identical user silhouettes, one of which glows as it hands up a glowing key.
Social engineering attacks the human layer: the target is persuaded to hand over the key, with no software exploit required.

The breaches, on a timeline

The fastest way to understand how the human layer gets attacked is to look at what actually happened. Each of these started with a person, not a software bug, and together they trace the modern playbook from a phone call to a ransomware outage.

  1. Vishing

    2020: Twitter account hijack

    Phone spear-phishing of employees reached Twitter's internal admin tool and seized the accounts of Obama, Musk, Apple, and more.

  2. Support vishing

    2021: Robinhood

    A phoned-in pretext to a customer-support employee exposed data on roughly 7 million people.

  3. Stolen credential

    2021: Colonial Pipeline

    One leaked VPN password with no multi-factor authentication shut down the largest fuel pipeline in the US.

  4. MFA fatigue

    2022: Uber

    Push-bombing plus a WhatsApp pretext got an attacker in, then a hardcoded admin password in a script opened up broad internal access.

  5. Help-desk pretext

    2023: MGM and Caesars

    A single call to the IT help desk reset an employee's access and led to a roughly $100 million ransomware outage.

Five breaches, four techniques, not one software exploit between them. The rest of this page is the full taxonomy behind that pattern.

The shape of the map

I group these by the channel the attacker uses and the lever they pull:

FamilyThe leverTechniques
Bulk deceptionVolume and a plausible messagePhishing, smishing
Targeted deceptionResearch and a tailored pretextSpear-phishing, whaling, vishing, pretexting
Trust-process abuseA help desk or support flow that resets accessHelp-desk impersonation, MFA fatigue
Identity and moneyAuthority and urgencyBusiness email compromise, SIM swapping
Physical and incentiveCuriosity, greed, politenessBaiting, quid pro quo, tailgating

The throughline is that none of these are technical exploits. They are abuses of how people and processes are built to be helpful, trusting, and fast.

Bulk deception

Phishing

The attacker sends a message, almost always email, that impersonates a trusted party and drives the target toward an action: click a link to a credential-harvesting page, open a malicious attachment, or approve a request. Phishing is the broad base of the pyramid because it scales infinitely and costs nothing. Most phishing is opportunistic and low-quality, but it only has to work once. It remains a leading initial-access and credential-theft vector, and a common delivery vehicle for ransomware. The defence is layered: email authentication (SPF, DKIM, DMARC), link and attachment filtering, phishing-resistant multi-factor authentication so a stolen password is not enough, and user training that is measured, not just delivered.

Smishing

Phishing over SMS. The same playbook (impersonate a bank, a courier, an IT department, drive a click to a fake login page) moved to text messages, where there is no sender authentication, links are shortened and hard to inspect, and people are reading on a small screen in a hurry. Smishing rose sharply as MFA codes moved to SMS, because a single convincing text can harvest both a password and the one-time code. The defence is to treat any link in an unexpected text as hostile, and to move off SMS for authentication wherever an app-based or hardware option exists.

Targeted deception

Spear-phishing and whaling

Phishing aimed at a specific person, built from research. The attacker reads the target's LinkedIn, learns their manager's name, their projects, their vendors, and crafts a message that fits the target's world precisely enough to bypass suspicion. Whaling is spear-phishing aimed at executives, where the payoff (wire authority, sensitive data, board access) justifies the effort. Spear-phishing is how most targeted intrusions begin, because a tailored message defeats the "would I expect this?" instinct that catches bulk phishing.

Vishing (voice phishing)

The attack moves to the phone. The attacker calls the target, or gets the target to call them, and uses a live human voice to build trust and pressure in real time, which a static email cannot. Vishing is devastating against help desks and support staff, whose entire job is to be helpful to a stranger who claims to be a colleague or customer in trouble. The 2020 Twitter hack began with phone spear-phishing of employees, and the 2023 MGM breach began with a single phone call to the IT help desk. The defence is procedural, not technical: a verification process the agent must follow that a friendly, urgent voice cannot talk them out of.

Pretexting and help-desk impersonation

Pretexting is the fabricated scenario that makes the request plausible: "I'm the new contractor and I'm locked out before a big demo," "this is the CEO's assistant and he needs this now." Help-desk impersonation is pretexting aimed at the one team built to reset credentials and MFA for people who are locked out. If the verification is knowledge-based (date of birth, employee ID, last four of an SSN, all of which an attacker can find or buy), it is not verification, it is a quiz the attacker has the answer key to. This is one of the most abused processes in modern intrusions. The MGM and Caesars breaches both ran through the help desk, and the Robinhood breach was a support-tool compromise via a phoned-in pretext. The Uber breach used a related IT-support pretext over WhatsApp, paired with MFA fatigue.

Trust-process abuse

MFA fatigue (push bombing)

When an account is protected by push-notification MFA, an attacker who already has the password triggers login attempt after login attempt, flooding the victim's phone with approval prompts until they tap "approve" out of annoyance, confusion, or to make it stop. It works because the prompt asks a yes/no question with no context, and because people are conditioned to approve prompts. The Uber breach is the canonical case: dozens of pushes, then a WhatsApp message posing as IT telling the contractor to just approve one. The defence is to kill the blind yes/no prompt: number matching (the user types a number shown on the login screen), or, better, phishing-resistant FIDO2 hardware keys that cannot be push-bombed at all.

SIM swapping

The attacker convinces a mobile carrier to port the victim's phone number to a SIM the attacker controls, usually through vishing or a bribed insider. Every SMS one-time code, every "we texted you a link to reset" then flows to the attacker. SIM swapping is what makes SMS a weak second factor: the factor is the phone number, and the phone number can be stolen with a phone call to the carrier. It is the standard precursor to high-value account takeovers, especially crypto. The defence is to remove SMS from the authentication path entirely, add a carrier port-out PIN, and use app or hardware factors.

Identity and money

Business email compromise (BEC)

The attacker either compromises or convincingly spoofs a trusted email account (an executive, a vendor, a finance contact) and uses it to redirect money or data. The classic version: a finance employee receives an email that looks like it is from the CEO or a known supplier, instructing an urgent wire transfer to a new account. There is no malware and often no link, just authority, urgency, and a changed bank account, which is what lets BEC sail past technical filters. BEC is consistently among the costliest categories of cybercrime by dollar losses, far exceeding ransomware in aggregate. The defence is a human control: out-of-band verification (call a known number, never the one in the email) for any payment change or unusual transfer.

Physical and incentive

Baiting, quid pro quo, and tailgating

The long tail of in-person and incentive-based techniques. Baiting leaves a temptation (a USB drive labelled "Payroll" in the parking lot, a free download) that delivers malware when taken. Quid pro quo offers a fake benefit (free IT support, a gift card survey) in exchange for access or credentials. Tailgating is simply following an authorised person through a secure door, relying on politeness to defeat the badge reader. These are lower-volume than phishing but bypass every email control, because they never touch email. The defence is culture and physical procedure: badge discipline, no unknown USB devices, and a workforce comfortable challenging a stranger.

How to defend the human layer

The mistake is treating social engineering as a training problem alone. Training helps, but people will always sometimes be fooled, so the controls that actually hold are the ones that limit what a fooled person can do.

  • Phishing-resistant MFA. FIDO2 hardware keys or passkeys defeat phishing, MFA fatigue, and SMS interception in one move, because there is no code to phish and no blind prompt to spam. This is the highest-leverage control on this page.
  • Verification that does not rely on secrets an attacker can buy. Help-desk identity checks should use a callback to a known number, a manager confirmation, or a hardware token, never knowledge-based questions.
  • Least privilege and just-in-time access. A compromised account should reach as little as possible. The Twitter and Uber breaches both turned a single foothold into god-mode because the internal tooling and stored secrets were too reachable.
  • Out-of-band verification for money. Any payment or bank-detail change gets confirmed on a separate, known channel.
  • Measured training. Run simulated phishing, measure the click and report rates, and treat a rising report rate (people flagging it) as the real success metric, not a falling click rate alone.

What the case studies look like

Each social-engineering breach on this site follows the same structure as the code-layer ones: what happened, the exact attack chain, the human or process failure that made it work, the cost, and the specific lessons. The five anchored here are the 2020 Twitter hack (vishing to internal admin tools), the MGM and Caesars breaches (help-desk pretexting to ransomware), the Uber breach (MFA fatigue plus a WhatsApp pretext), the Robinhood breach (a phoned-in support-tool compromise), and the Colonial Pipeline attack (a single leaked VPN password with no MFA).

Where to go next

The code-layer companion to this map is the web application security vulnerabilities taxonomy, covering the software-bug side of the same goal. For the breaches themselves, start with the 2020 Twitter hack, the clearest example of how vishing plus over-powered internal tools becomes a global incident, then the Uber and MGM breaches for the modern help-desk and MFA-fatigue playbook.

Further reading and viewing

The figure who defined this field is worth meeting in his own words:

  • Ghost in the Wires, Kevin Mitnick's memoir of his years as the most-wanted hacker. The best narrative account I know of social engineering as it actually plays out, call by call.
  • The Art of Deception, his field guide to the techniques on this page, taught through fictionalised case studies that map almost one-to-one onto the breaches above.
  • Takedown, also released as Track Down, the 2000 dramatisation of his pursuit and capture. A flawed film that Mitnick himself disputed, but a rare one that takes the social-engineering tradecraft seriously rather than treating hacking as frantic typing.

Sources

Authoritative references this article was fact-checked against.

TagsSecuritySocial EngineeringPhishingVishingMFA FatiguePretexting

Found this useful? Pass it on.

Copied

Ishan Karunaratne

Software Systems Architect · Senior Software Engineer · Engineering Leadership

Software systems architect and senior software engineer with more than two decades designing, building, and running production software, Linux systems, and DevOps infrastructure, and lately working AI into the stack. Now a CTO, though what I write here is drawn from the full arc of that work, across architecture, engineering, and operations, not any single job.

More by IshanLinkedIn
Keep reading

Related posts

The complete taxonomy of web application security vulnerabilities, from injection attacks to supply chain attacks
Security

Web Application Security Vulnerabilities: The Complete Taxonomy

A practitioner's map of every major web application vulnerability class: SQL injection, XSS, CSRF, SSRF, RCE, file upload, path traversal, authentication and session attacks, deserialization, clickjacking, XXE, supply chain, DoS, DNS, and API attacks. How each works, how to exploit it in a lab, and how to defend against it.