Safeguard
Vulnerability Analysis

What is Social Engineering

Social engineering causes 68% of breaches per Verizon's 2024 DBIR. Learn how it works, common attack types, and how it threatens the software supply chain.

Yukti Singhal
Security Analyst
6 min read

Social engineering is the manipulation of people, not systems, to gain unauthorized access to accounts, networks, or data. Instead of exploiting a software vulnerability, an attacker exploits trust, urgency, or authority to get a target to click a link, hand over a password, approve an MFA push, or wire money. The FBI's 2023 Internet Crime Report attributed $2.9 billion in losses to business email compromise alone, and Verizon's 2024 Data Breach Investigations Report found that 68% of breaches involved a human element such as a social engineering trick or an error. Attacks range from mass phishing emails to targeted vishing calls impersonating IT help desks, as seen in the 2023 MGM Resorts breach, where a 10-minute phone call to a help desk led to a ransomware incident that cost the casino operator an estimated $100 million. For software supply chain teams, social engineering is often the entry point that precedes a code-level compromise.

How Does Social Engineering Actually Work?

Social engineering works by exploiting psychological triggers rather than technical flaws, using pretexting, urgency, or impersonation to bypass a target's normal skepticism. Attackers research a target on LinkedIn, company websites, or breached data dumps to build a credible pretext, then contact the victim through email, phone, SMS, or even in person. The 2020 Twitter breach began when attackers called employees claiming to be from Twitter's IT department, convincing them to enter credentials into a fake VPN login page; from there, attackers accessed internal tools and hijacked 130 high-profile accounts, including those of Barack Obama and Elon Musk, to run a bitcoin scam that netted over $118,000 in about three hours. The technique succeeds because it targets a person's willingness to be helpful or their fear of getting in trouble, not a firewall rule or a patch level.

What Are the Most Common Types of Social Engineering Attacks?

The most common types are phishing, spear phishing, vishing, smishing, pretexting, and baiting, each differentiated by delivery channel and level of targeting. Phishing is the broadest category, sending the same deceptive email to thousands of recipients; the Anti-Phishing Working Group logged over 4.7 million unique phishing attacks in 2023 alone. Spear phishing narrows that to a specific individual, often a finance or HR employee, using details scraped from public profiles. Vishing (voice phishing) uses phone calls, as in the September 2023 Caesars Entertainment breach, where the Scattered Spider group social-engineered an IT help desk to reset credentials, leading to a reported $15 million ransom payment. Smishing uses SMS messages with malicious links, a technique the FBI's IC3 flagged as a top complaint category in 2023 with over 20,000 reports. Pretexting builds a false scenario, such as posing as a vendor requesting an invoice change, a tactic behind numerous business email compromise cases each averaging $137,000 in losses per the FBI's 2023 data.

How Does Social Engineering Threaten the Software Supply Chain?

Social engineering threatens the software supply chain by giving attackers a way to insert malicious code or credentials into legitimate build and release pipelines without exploiting a single CVE. The 2024 XZ Utils backdoor (CVE-2024-3094) is the clearest recent example: an account using the persona "Jia Tan" spent over two years building trust as a contributor before being handed maintainer access to the widely used xz compression library, then quietly inserted a backdoor targeting OpenSSH. Similarly, npm and PyPI have seen repeated cases of attackers social-engineering package maintainers through fake "security update" emails to steal npm tokens, as happened with the eslint-scope compromise in 2018 and, more recently, coordinated phishing campaigns against maintainers in 2023 that led to typosquatted and hijacked packages being pushed to millions of downstream projects. Because open source maintainers often work as volunteers with limited security tooling, they are a high-value, comparatively low-effort target for supply chain attackers.

How Can Security Teams Detect Social Engineering Attempts?

Security teams detect social engineering attempts by combining email authentication controls, behavioral monitoring, and anomaly detection on identity and access events. DMARC, DKIM, and SPF enforcement stops a large share of spoofed sender phishing before it reaches an inbox, while tools that flag impossible-travel logins or a sudden MFA registration from a new device catch account takeover attempts that follow a successful vishing call. On the supply chain side, monitoring for anomalous maintainer behavior, such as a dormant contributor suddenly requesting elevated npm or PyPI publish rights, or a new maintainer pushing an unreviewed release shortly after gaining access, mirrors exactly the pattern seen in the XZ Utils incident before the backdoor was discovered by a Microsoft engineer investigating unrelated SSH latency in March 2024. Logging and alerting on package registry token usage, publish events, and dependency changes gives teams a chance to catch the moment social engineering converts into a code-level compromise.

What Can Organizations Do to Prevent Social Engineering?

Organizations prevent social engineering by combining phishing-resistant authentication, employee training, and strict verification procedures for high-risk actions like credential resets or wire transfers. Moving from SMS-based MFA to FIDO2 hardware keys or passkeys removes the ability of an attacker to simply relay a one-time code obtained through a phone call, a control Google reported drove reported account-takeover-related support tickets to near zero after mandatory security key rollout for employees. Requiring callback verification through a known internal number before any help-desk password reset would have blunted both the MGM and Caesars 2023 incidents, where a single unverified phone call led to full domain compromise. For open source and vendor ecosystems, requiring multi-maintainer sign-off before a package can be published, and enforcing hardware-backed 2FA on registries like npm (mandatory for the top 500 packages since 2022) and PyPI, closes the exact gap that let the XZ Utils backdoor ship into production Linux distributions.

How Safeguard Helps

Safeguard cannot stop a phone call to your help desk, but it dramatically narrows the blast radius when social engineering succeeds against a dependency or maintainer account. Safeguard's SBOM generation and ingest give teams a live inventory of every open source package in use, so when a maintainer-compromise incident like XZ Utils breaks, security teams can query in seconds whether the affected version is present anywhere in their environment instead of spending days on manual audits. Reachability analysis then determines whether a compromised or backdoored package's vulnerable code path is actually invoked by your application, cutting through alert noise to prioritize the handful of instances that carry real risk. Griffin AI correlates that reachability data with runtime and dependency graph context to flag suspicious package behavior, such as an unexpected new maintainer or an unreviewed release pattern, before it reaches production. When a fix is available, Safeguard opens auto-fix pull requests that bump the affected dependency to a patched version, letting engineering teams close the window of exposure in minutes rather than waiting for a manual triage cycle.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.