Social engineering is a hot topic in information security. Even articles published as recently as a couple years ago have many citations.
But how much of it is hype? This is not to say social engineering does not work–clearly it does in some notable cases. But I believe the success or efficacy of social engineering has been greatly exaggerated by folklore and the media. Same for spear phishing, which is a type of social engineering attack aimed at a single typically high-profile or wealthy target.
As the narrative goes, smooth-talking threat actors can gain their way into the highest echelons of corporations just by wooing the management or other staff to let them in. Or ‘sim swappers’ convincing low-paid store employees of phone carriers, such as AT&T, to unlock victim’s phones, such as to steal cryptocurrency.
But has anyone ever done a comprehensive analysis as to its efficacy? How gullible or easily mislead are employees really? I suspect it does not work nearly as well as the hype would suggest. I posit the claimed efficacy of social engineering is mostly due to recency and publication bias. That is, successful social engineering attacks that involve notable incidents get a lot of media coverage, but this overlooks all the failed attempts.
In the context of organized crime, social engineering has the obvious downside of creating another witness and a long paper trail. It’s also time-consuming in terms of having to make phone calls or emails and follow-up, scouring databases of addresses of employees to target, and having to prepare customized scripts. Long stretches of trying to find victims means no pay and rising expenses. It’s not the sort of thing that can be automated at scale, unlike, say, port scanning.
For those reasons, threat actors will likely employ social engineering as a last resort, not as the preferred way to gain entry into an organization or cybercrime in general. More investigation needs to be done in this.