--- id: wiki-2026-0508-social-engineering title: Social Engineering category: 10_Wiki/Topics status: verified canonical_id: self aliases: [Social Engineering Attacks, Human-Layer Attack, Phishing Family] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, threat-model, phishing, awareness] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: english framework: security --- # Social Engineering ## 매 한 줄 > **"매 attack 의 weakest link 의 human 의 exploit. Tech-stack 의 hardening 보다 매 human-layer 의 manipulation 가 cheaper."**. 매 phishing, vishing, pretexting, baiting 의 family — 매 2026 LLM-generated voice clones / deepfake video 가 매 attack vector 의 industrialize 했음. 매 SOC2 / ISO27001 의 awareness training 의 mandate. ## 매 핵심 ### 매 attack vectors - **Phishing** (email) — bulk credential harvest. - **Spear-phishing** — targeted, OSINT-backed. - **Vishing** (voice) — 매 LLM voice clone 의 era. - **Smishing** (SMS) — package delivery, bank scam. - **Pretexting** — impersonation (CEO fraud, IT helpdesk). - **Baiting** — USB drop, malicious download. - **Tailgating** — physical access. ### 매 psychological levers (Cialdini) - Authority (CEO impersonation). - Urgency ("account locked, act now"). - Scarcity ("last chance"). - Reciprocity ("free gift"). - Social proof ("colleagues already responded"). - Liking (rapport building). ### 매 응용 (defense) 1. MFA (phishing-resistant — FIDO2/passkey). 2. SPF/DKIM/DMARC for email auth. 3. Awareness training + simulated phishing. 4. Approval workflow for wire transfers (out-of-band verify). 5. Zero-trust + least-privilege blast radius limit. ## 💻 패턴 ### DMARC enforce policy ```dns _dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100" ``` ### Phishing simulation framework (gophish API) ```python import requests api = "https://gophish.local/api" headers = {"Authorization": "Bearer TOKEN"} campaign = { "name": "Q2 Awareness", "template": {"name": "Fake-IT-Reset"}, "url": "https://landing.local", "groups": [{"name": "All-Employees"}], } requests.post(f"{api}/campaigns/", json=campaign, headers=headers) ``` ### FIDO2 webauthn (phishing-resistant) ```typescript const credential = await navigator.credentials.create({ publicKey: { challenge: serverChallenge, rp: { name: 'example.com' }, user: { id, name: email, displayName: name }, pubKeyCredParams: [{ alg: -7, type: 'public-key' }], authenticatorSelection: { userVerification: 'required', authenticatorAttachment: 'platform' }, }, }); ``` ### Wire-transfer out-of-band verify (Slack bot) ```typescript bot.command('/verify-wire', async ({ command, ack }) => { await ack(); const challenge = generateOTP(); await sms.send(command.user_phone, `Wire verify code: ${challenge}`); await db.storeChallenge(command.user_id, challenge); }); ``` ### Email header anomaly detection ```python def is_suspicious(msg): spf = msg.get('Authentication-Results', '') if 'spf=fail' in spf or 'dkim=fail' in spf: return True if msg['From'] != msg['Reply-To']: return True # display name spoof return False ``` ### Deepfake voice detection (2026 ML) ```python from transformers import pipeline detector = pipeline('audio-classification', model='WavLM-deepfake-2026') result = detector(audio_path) # returns: [{'label': 'synthetic', 'score': 0.94}, ...] ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | Email account compromise risk | DMARC reject + FIDO2 MFA | | Wire transfer fraud (BEC) | Out-of-band callback verify | | Voice impersonation | Codeword + callback to known number | | USB drop | Endpoint policy block autorun | | Insider awareness | Quarterly simulated phishing | **기본값**: FIDO2 passkey + DMARC reject + quarterly training + out-of-band approval for $X+ transfers. ## 🔗 Graph - 부모: [[Threat-Modeling]] · [[OWASP-Top-10]] - 변형: [[Phishing]] - 응용: [[FIDO2]] · [[DMARC]] · [[Zero-Trust-Architecture]] ## 🤖 LLM 활용 **언제**: threat-model human layer, security training content, BEC playbook. **언제 X**: 매 actual phishing template generation — abuse risk. ## ❌ 안티패턴 - **SMS-only MFA**: SIM-swap vulnerable — FIDO2 prefer. - **Annual training only**: 매 retention low — quarterly + simulation. - **Trust caller-ID**: 매 trivially spoof — callback to known number. ## 🧪 검증 / 중복 - Verified (NIST SP 800-50, Mitnick "Art of Deception", Verizon DBIR 2025). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — SE attack vectors, Cialdini levers, FIDO2/DMARC defenses |