How Fraudsters Exploit Social Engineering Online.

A technical analysis of the psychology, automation, and detection details of attacks of online manipulation. In September 2023, a Slack message was received by a security engineer with a large US-based technology company because someone claiming to be a coworker in the IT department sent it to the individual. The message mentioned a real internal system by name, used the right internal vocabulary, and was delivered at 4:47 PM on a Friday, when attention is the lowest and the need to finalize things before the weekend is the greatest. The notification requested the engineer to authorize a regular MFA reset on a locked-out colleague. The engineer approved it. In forty minutes, the attacker had moved through 3 internal systems and stolen source code on a private repository. The attacker had not decrypted even a single piece of cryptography. They had not taken advantage of a computer bug. They had just known human psychology too well to model it and to automate it at scale. This is social