Social engineering has emerged as a significant threat in the field of cybersecurity, exploiting human vulnerabilities rather than technical flaws. Its unpredictability and complexity stem from its focus on manipulating human behavior. The increasing use of digital devices has expanded the attack surface, allowing social engineers to employ advanced techniques to deceive users and access sensitive information. This systematic review aims to map the scientific contributions on social engineering in cybersecurity, identify recurring patterns, and propose future research directions. This study consolidates existing knowledge and offers a foundation for developing new defense approaches against social engineering attacks that rapidly adapt to new technologies and behavioral changes.
Keywords: Social engineering, cybersecurity, phishing, psychological manipulation, security awareness.
Social engineering stands out as one of the most relevant threats in the field of cybersecurity, as it exploits human vulnerabilities instead of technical flaws (Mitnick & Simon, 2002). This type of threat is characterized by its unpredictability and complexity of defense, as it focuses on manipulating human behavior rather than technological gaps. With the expansion of internet access, social engineering attacks, such as phishing and spear-phishing, have become more frequent and sophisticated, targeting specific individuals.Technological advancement, combined with the exponential increase in the use of connected devices, has significantly expanded the attack surface. Social engineering, positioned at the intersection of psychology and technology, demands an interdisciplinary approach to understanding its dynamics and developing effective mitigation strategies (Cialdini, 2001). Although scientific literature on the topic has grown in recent years, it remains fragmented, with studies focusing on isolated aspects such as the effectiveness of phishing campaigns, without comprehensively addressing the complexity of the phenomenon.This article aims to conduct a systematic review of the international scientific production on social engineering in the context of cybersecurity. The objective is to map the main contributions, identify patterns, and suggest future directions for research in the area. The relevance of this study lies in consolidating existing knowledge and providing a solid foundation for developing new defense approaches against social engineering attacks, which quickly adapt to new technologies and behavioral changes of users.
Social engineering is defined as a psychological manipulation technique designed to deceive individuals or groups into disclosing confidential information or performing actions that compromise the security of a system or organization (Mitnick & Simon, 2002). Unlike conventional cyberattacks that exploit technical vulnerabilities, social engineering focuses on human failures, often considered the weakest link in security systems.
In cybersecurity, social engineering plays a crucial role, especially in targeted attacks like spear-phishing, where criminals customize messages to appear legitimate to specific targets (Hong, 2012). These attacks can lead to severe data breaches, as demonstrated by the Target breach in 2013, where attackers used social engineering to gain access to internal systems (Ponemon Institute, 2014).With the rise of social media and the development of technologies such as deepfakes, social engineering has become increasingly complex, posing significant challenges to cybersecurity. These technologies enable the creation of fake videos and audio that mimic real people, enhancing the effectiveness of attacks (Chesney & Citron, 2019).
Various social engineering techniques are widely documented in the literature, with the most common being:
Studies indicate that most data breaches involve social engineering attacks in some form, either as an initial entry point or as a critical component of the attack (Verizon, 2022). Defense against these attacks requires a multidisciplinary approach, combining technical cybersecurity measures with user education and awareness (Parsons et al., 2017).
The systematic review was conducted using IEEE Xplore, Scopus, Web of Science, and Google Scholar, chosen for their extensive coverage of publications in cybersecurity and social engineering. The temporal scope included articles published between 2010 and 2023, reflecting significant advances in social engineering techniques. Keywords used were: "social engineering", "cybersecurity", "phishing", "spear-phishing", "psychological manipulation", "information security", "cyber threats", and "security awareness". Searches included titles, abstracts, and keywords to ensure comprehensive coverage. The methodology followed the PRISMA (Preferred Reporting Items for Systematic Reviews and Meta-Analyses) guidelines to ensure transparency and replicability of the review process.
Inclusion and Exclusion Criteria Included articles met the following criteria:
Excluded studies were those that:
The selection followed a systematic protocol: after the initial article collection, a screening based on titles and abstracts was conducted, eliminating studies that did not meet the inclusion criteria. Remaining articles were fully read and evaluated for methodological quality and relevance. Two independent reviewers conducted the selection, with a third consulted in case of discrepancies, ensuring impartiality.
Data were analyzed using thematic analysis, involving the coding of data from selected studies and identifying recurring central themes. The main themes identified included types and techniques of social engineering attacks, defense strategies, implications for cybersecurity policies, and emerging trends in research on the topic. The NVivo software was used to organize and analyze the data, aiding in the systematization of the analytical process.
Research on social engineering in the context of cybersecurity has intensified in recent years, reflecting the increasing sophistication of these techniques in cyberattacks. According to the Verizon 2022 Data Breach Investigations Report, social engineering is one of the leading causes of data breaches, responsible for approximately 85% of incidents analyzed. The literature extensively covers phishing and spear-phishing, while other techniques such as pretexting and baiting are less explored, indicating potential gaps in understanding the real impact of these methods.
Phishing is the most widely studied type of social engineering attack, exploiting users' trust through psychological manipulation tactics, such as creating a false sense of urgency (Hong, 2012). Research shows that individual differences, such as digital literacy and demographic characteristics, influence susceptibility to phishing (Vishwanath et al., 2016).
Spear-Phishing, a targeted variant of phishing, is particularly dangerous due to its personalized nature, which increases the success rate (Jagatic et al., 2007). Studies indicate that personalizing messages with specific information about the target is a critical factor contributing to the high success rates of these attacks (Halevi et al., 2013).
Other techniques, such as pretexting and baiting, receive less academic attention but can be equally effective depending on the context. Pretexting involves creating a convincing scenario to deceive the victim into providing confidential information (Workman, 2008), while baiting exploits the victim's desire for something of value, such as free downloads containing malware (Mitnick & Simon, 2002).
Defense against social engineering is a growing field of research, with training and awareness programs recognized as essential components in mitigating attacks (Parsons et al., 2017). Technological tools, such as email filters and intrusion detection systems, help mitigate risks but cannot fully replace the need for user awareness, as these attacks often exploit behavioral factors that technical solutions may not entirely capture (Abawajy, 2014).A combined approach that integrates training with detection technologies provides the best protection. Hybrid models that combine real-time alerts with continuous training have been shown to reduce attack success rates by up to 50% (Kumaraguru et al., 2010).
Emerging techniques like deepfakes, which use AI to create fake videos and audio, represent new challenges by creating highly convincing scenarios that deceive victims (Chesney & Citron, 2019). Additionally, there is a need for longitudinal studies examining the effectiveness of defense strategies over time, as few studies explore how the effects of training are maintained.Current literature also insufficiently addresses cultural and regional differences in susceptibility to social engineering, highlighting the need for research exploring how cultural factors influence the effectiveness of techniques and defense strategies in different contexts.
The literature review confirms that social engineering remains a dominant threat to cybersecurity, with phishing and spear-phishing being the most prevalent and effective methods. These attacks exploit human vulnerabilities, underscoring the need for defense strategies that integrate technical solutions and user training. The personalization of attacks, particularly in spear-phishing, significantly increases success rates, highlighting the need for a deeper understanding of the factors that make individuals susceptible.The advancement of technologies such as deepfakes is expanding the scope and effectiveness of social engineering attacks. These advancements not only represent an evolution of attack tactics but also pose a challenge to existing defenses, which must continuously adapt.
The findings suggest that organizations should adopt a holistic approach to cybersecurity, combining up-to-date training and robust technical solutions. Awareness programs that simulate realistic scenarios, including deepfake attacks, can better prepare employees to identify and resist social engineering attempts. These programs must be continuous and evolve as new threats emerge.Detection technologies, such as AI systems that learn from past attacks, can complement training efforts, providing an additional layer of defense. However, the effectiveness of these technologies depends on their integration with organizational policies, such as multi-factor authentication and access management.Regular penetration testing focused on social engineering and real-time attack simulations can further strengthen organizations' preparation against actual threats, enabling adjustments in security policies as needed.
This study is limited by its reliance on publications in English, Portuguese, and Spanish, which may exclude relevant research in other languages. Additionally, the methodological variability of the analyzed studies and the predominant focus on Western business environments limit the generalizability of the findings to other contexts.Most studies used cross-sectional designs, capturing a specific moment without exploring how threats and defenses evolve over time. Furthermore, the focus on cybersecurity may have excluded contributions from other disciplines, such as psychology and sociology, which could offer additional insights into human motivations and vulnerabilities.
Future research should adopt an interdisciplinary approach, integrating psychology, sociology, and cybersecurity to develop more effective defense strategies. Longitudinal studies that track the effectiveness of interventions over time are essential to ensure that defenses against social engineering remain effective in a constantly changing threat landscape.Exploring cultural and regional differences in susceptibility to social engineering is also crucial, particularly for global organizations operating in multiple jurisdictions. Understanding these variations can lead to the development of culturally adapted and more effective defense strategies.
Research on social engineering in the context of cybersecurity has intensified in recent years, reflecting the growing sophistication and prevalence of these techniques in cyberattacks. According to Verizon’s annual report (2022), social engineering was identified as one of the leading causes of data breaches, responsible for approximately 85% of the incidents analyzed. The literature covers a wide range of topics, primarily focusing on phishing and spear-phishing, while other techniques, such as pretexting and baiting, receive less attention. This suggests a potential gap where certain attack types may be underestimated or underexplored concerning their actual impact.
Phishing is the most widely studied social engineering attack, exploiting user trust through psychological manipulation tactics, such as creating a false sense of urgency (Hong, 2012). Studies show that individual differences, such as digital literacy and demographic characteristics, influence susceptibility to phishing (Vishwanath et al., 2016).
Spear-Phishing, a more targeted variant of phishing, is particularly dangerous due to its personalized nature, which increases the likelihood of success (Jagatic et al., 2007). Research indicates that message personalization using personal information is a critical factor contributing to the high success rate of these attacks (Halevi et al., 2013).
Other techniques, such as pretexting and baiting, are less frequently addressed in the literature but can be equally effective depending on the context. Pretexting involves creating a convincing scenario to deceive the victim into disclosing confidential information (Workman, 2008), while baiting exploits the victim's desire for something of value, like free software downloads that contain malware (Mitnick & Simon, 2002).
Defense against social engineering is a growing research field, with several approaches being explored. Training and user awareness programs are widely recognized as essential components in mitigating social engineering attacks (Parsons et al., 2017). Technological tools, such as email filters and intrusion detection systems, help in mitigating risks but do not replace the need for awareness, as attacks often exploit behavioral factors that are not entirely detected by technical solutions (Abawajy, 2014).A combined approach, integrating user training with detection technologies, provides the best protection. Hybrid models that combine real-time alerts with continuous training have been shown to reduce attack success rates by up to 50% (Kumaraguru et al., 2010).
Emerging techniques, such as deepfakes that use AI to create fake videos and audio, pose significant challenges by creating highly convincing scenarios that deceive victims (Chesney & Citron, 2019). Additionally, there is a need for longitudinal studies examining the effectiveness of defense strategies over time, as few studies explore how training effects are maintained.The current literature also does not sufficiently address cultural and regional differences in susceptibility to social engineering, highlighting the need for research exploring how cultural factors influence the effectiveness of techniques and defense strategies in different contexts.
The literature review confirms that social engineering remains a dominant threat in cybersecurity, with phishing and spear-phishing being the most prevalent and effective methods. These attacks exploit human vulnerabilities, underscoring the need for defense strategies that integrate technical solutions with user training. The personalization of attacks, particularly in spear-phishing, significantly increases success rates, emphasizing the importance of a deeper understanding of factors that make individuals susceptible.The advancement of technologies such as deepfakes is expanding the scope and effectiveness of social engineering attacks. These advances represent not only an evolution of attack tactics but also a challenge for existing defenses, which must continually adapt.
The findings suggest that organizations should adopt a holistic approach to cybersecurity, combining updated training with robust technical solutions. Awareness programs that simulate realistic scenarios, such as attacks with deepfakes, can better prepare employees to identify and resist social engineering attempts. These programs should be continuous, evolving as new threats emerge.Detection technologies, such as AI systems that learn from past attacks, can complement training efforts, providing an additional layer of defense. However, the effectiveness of these technologies depends on integration with organizational policies, such as multi-factor authentication and access management.Penetration tests focused on social engineering and real-time attack simulations can further strengthen organizational preparedness, allowing for adjustments to security policies as needed.
Future research should adopt an interdisciplinary approach, integrating psychology, sociology, and cybersecurity to develop more effective defense strategies. Longitudinal studies that track the effectiveness of interventions over time are essential to ensure that defenses against social engineering remain effective in a constantly changing threat landscape.Exploring cultural and regional differences in susceptibility to social engineering is also critical, especially for global organizations operating in multiple jurisdictions. Understanding these variations can lead to the development of culturally adapted and more effective defense strategies.
This article provided a comprehensive review of the literature on social engineering in the context of cybersecurity, highlighting the crucial role that this technique plays in cyberattacks. The analysis revealed that despite significant technological innovations in cyber defense, human vulnerabilities continue to be effectively exploited by cybercriminals. Phishing and spear-phishing stand out due to their prevalence and success, particularly because of their ability to manipulate human psychology and use personal information to tailor attacks.The evolution of technologies, such as deepfakes and artificial intelligence, is making social engineering attacks increasingly sophisticated and harder to detect. These technological advances not only extend the reach and effectiveness of attacks but also pose significant challenges to existing defenses, which must quickly adapt to these constantly evolving threats.
The findings of this article emphasize the need for an integrated approach that combines technical solutions with robust user awareness. Continuous training programs that address the latest attack techniques and employ realistic simulations are essential in preparing employees to recognize and resist social engineering attempts. Furthermore, the implementation of advanced technologies, such as artificial intelligence for behavioral anomaly detection, provides an additional layer of defense that can complement human efforts.
As social engineering techniques continue to evolve, cybersecurity must proactively adapt. The intersection of technology and human behavior is a field that requires ongoing attention, and interdisciplinary research can offer new perspectives and solutions to emerging challenges. The integration of knowledge from areas such as psychology and sociology with cybersecurity practices can lead to the development of more effective and personalized defense strategies that consider human motivations and vulnerabilities in a holistic manner.Future research should focus on exploring these intersections, as well as testing the effectiveness of defense strategies over time and in different cultural contexts. Understanding cultural dynamics can be particularly useful for global organizations operating in multiple jurisdictions, allowing them to tailor their defense strategies to the specific needs of each region.Ultimately, social engineering represents a continuous and complex challenge for cybersecurity. However, with a focus on innovation, continuous training, and the integration of new technologies, organizations can develop more resilient and effective defenses. The practical application of the findings discussed in this article has the potential to significantly strengthen cybersecurity, protecting both digital assets and the individuals who interact with them.
Abawajy, J. (2014). User preference of cyber security awareness delivery methods. Behaviour & Information Technology, 33(3), 237-248. https://doi.org/10.1080/0144929X.2012.708787
Caputo, D. D., Pfleeger, S. L., Freeman, J. D., & Johnson, M. E. (2014). Going spear phishing: Exploring embedded training and awareness. IEEE Security & Privacy, 12(1), 28-38. https://doi.org/10.1109/MSP.2013.106
Chesney, R., & Citron, D. K. (2019). Deepfakes and the new disinformation war: The coming age of post-truth geopolitics. Foreign Affairs, 98(1), 147-155.
Halevi, T., Lewis, J., & Memon, N. (2013). Phishing, personality traits and Facebook. Computers in Human Behavior, 28(2), 669-676. https://doi.org/10.1016/j.chb.2011.11.007
Hong, J. (2012). The state of phishing attacks. Communications of the ACM, 55(1), 74-81. https://doi.org/10.1145/2063176.2063197
Jagatic, T. N., Johnson, N. A., Jakobsson, M., & Menczer, F. (2007). Social phishing. Communications of the ACM, 50(10), 94-100. https://doi.org/10.1145/1290958.1290968
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology (TOIT, 10(2), 1-31. https://doi.org/10.1145/1754393.1754396
Mitnick, K. D., & Simon, W. L. (2002). The art of deception: Controlling the human element of security. Wiley.
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2017). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers & Security, 42, 165-176. https://doi.org/10.1016/j.cose.2013.12.003
Ponemon Institute. (2014). 2014 Cost of Data Breach Study: Global Analysis. Ponemon Institute.
Verizon. (2022). 2022 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir/
Vishwanath, A., Herath, T., Chen, R., Wang, J., & Rao, H. R. (2016). Why do people get phished? Testing individual differences in phishing vulnerability within an integrated, information processing model. Decision Support Systems, 51(3), 576-586. https://doi.org/10.1016/j.dss.2011.07.002
Workman, M. (2008). Wisecrackers: A theory-grounded investigation of phishing and pretext social engineering threats to information security. Journal of the American Society for Information Science and Technology, 59(4), 662-674. https://doi.org/10.1002/asi.20779
