June 13, 2019 By Mike Elgan 5 min read

Social engineering is one of the most difficult cybersecurity threats to protect against. By definition, it targets human fallibility — flaws in human reasoning. Cybercriminals may work full-time figuring out how to trick people and sharing best practices, but employees at your organization have other jobs to do. There’s a knowledge imbalance between the digital con artists and their would-be victims. That’s why cons work.

One way to inoculate staff against falling prey to this kind of manipulation is through education and training. Security awareness training often avoids bogging employees down with security jargon, which sounds like a good idea. Nontechnical employees and executives normally shouldn’t have to become security experts. But in the realm of social engineering protection, knowing the jargon is one of the most powerful tools we have to educate staff.

The reason is that the definitions of these terms contain within them the methods. To know the words is to expect the attacks — or recognize them when they occur. It’s time to integrate the learning and memorization of social engineering jargon into every security training session. By learning these words cold, employees will also learn to avoid falling prey to social engineering attacks.

Social Engineering Vocab to Add to Your Next Security Training

Here is the basic vocabulary that everyone in your organization should know.


An umbrella term for any fraudulent attempt to get information by acting like a trusted person or organization in any electronic communications medium, usually email.


When the attempt happens via text message, it’s called smishing. Smishing can be effective because some users are more trusting on SMS compared to email.


Vishing is when an attacker uses a phone call to trick victims into giving up sensitive information such as passwords. Perpetrators of this crime typically use Voice over Internet Protocol (VoIP) calls and misrepresent themselves as employees of a bank or other organization.

Bulk Phishing

This basic attack spams large numbers of people with generic messages that link to a large number of different fraudulent URLs in the hope of tricking a small percentage of the recipients into giving up sensitive information. If some of the URLs are shut down, others still remain.

Spear Phishing

Rather than spamming large numbers of generic messages, spear phishing campaigns send small numbers of customized messages containing recognizable or relevant content to a small number of people. It requires some knowledge of the target for customization. The most obvious version of this is to send emails to people in a company, and make the email appear as if it came from another person in the same company. The more specific and targeted the attack, the more effective it can be.

Snowshoe Attack

Sitting somewhere between generic bulk and specific spear attacks is the snowshoe attack, whereby small, semitargeted emails are sent in batches small enough to fall below the threshold that triggers spam filters, but large enough to enable mass emailing. Snowshoe attacks use a large number of sender IP addresses, with a low number of emails per IP address. The term snowshoe refers to a spamming technique, regardless of whether it’s a phishing attack or just unwanted advertising.

Hailstorm Attack

Instead of flying under the radar to avoid triggering spam filters, hailstorm attacks try to beat spam filters to the punch, launching a large number of emails at once to catch spam filters off guard — essentially finishing the sending before the filters have time to respond.

Clone Phishing

With this technique, a legitimate email — from, say, a financial institution or government entity — is copied almost verbatim, complete with graphics, but usually with the links changed to malicious URLs.


Whaling attacks target top employees, such as CEOs, CFOs or CIOs. This kind of attack can be appealing to cybercriminals because more information is publicly available about these high-profile targets, and they tend to have more access to sensitive information at a company.


The simple idea behind tabnabbing is that by spoofing and directing users to fake sites, they’ll enter usernames and passwords, which can then be used by the perpetrators to log into the real sites. It’s called tabnabbing because it exploits the tendency of users to have many tabs open. By opening a new tab on a malicious site that displays only a username and password form, the user may assume that one of their legitimate tabs simply timed out, and may enter the credentials to log back in.

In-Session Phishing

As stated above, users tend to have multiple tabs open while using their browsers. Pop-up messages appear, and could theoretically come from any of the open tabs. Cybercriminals can in some instances use this confluence of circumstances to launch a pop-up from one tab that appears to be from another. For example, let’s say a user has a dozen tabs open — one is a gaming site, another is a bank website. Malicious code on the gaming site could detect the banking site and launch a pop-up that spoofs the banking site, asking for, among other things, login credentials. This attack could work in a less targeted way even without knowledge of the specific site in the other tab. A generic pop-up could trick enough users to be worthwhile to malicious actors.

Reverse Tabnabbing

Similar to tabnabbing, reverse tabnabbing is where a legitimate page open in a tab is replaced with a fraudulent version in the same tab. That fake page times out, requiring the username and password, which is then stolen.

Email Spoofing

This practice involves forging an email header to make an email appear to come from a legitimate or friendly source. This technique may also be used to evade spam filters or as part of an identity theft scheme.

Website Forgery

Website forgery involves either a fake, but legitimate looking, website, or a fraudulent replica of a legitimate site to trick users into giving up sensitive information.

Link Manipulation

This is an umbrella term that covers any attempt to hide URLs or trick users into falsely believing that a fraudulent URL is legitimate.

Link Hiding

Users can’t detect a suspicious URL if they can’t see it. That’s why phishers often hide URLs by sending HTML emails, where the URL is activated by the hyperlink (hyperlinks with the right words link to the wrong websites). Malicious URLs can also be hidden using URL shorteners or PDF files.


Cybercriminals have long registered URLs that are similar to popular URLs owned by major brands in the hopes that someone will misspell the desired URL and land on theirs. Labels associated with this simple idea include URL hijacking, fake URLs, cybersquatting and brandjacking. URLs with subtle typos are also used in phishing attacks because victims may not notice the misspelling and click with confidence.

Homograph Attack

Domain names can use multiple alphabets. Some letters in different alphabets look identical. A homograph attack is one that exploits this fact to create a fraudulent URL that looks perfectly legitimate. For example, by using a lowercase Cyrillic letter “A” instead of a lowercase “A” from the English alphabet, a URL appears as if it’s all English, but is viewed by the domain name system as a different URL. Financial institutions with the letter “A” in their names, such as Bank of America or PayPal, are frequent subjects of homograph attacks.

Know the Names, Prevent the Attacks

Due to the prevalence of phishing and other social engineering attacks, it’s vital to stay one step ahead of scammers with advanced security tools and/or managed security services.

Training is the other necessary component. When training employees about cybersecurity, by all means try to avoid jargon and speak in plain language so everyone can understand. But when it comes to social engineering training, make sure every employee learns the names of specific attacks. Yes, raise awareness with phishing simulations and other smart exercises — but also teach the vocab. To know the names is to know the attacks, and to know the attacks is to recognize them when you’re the target.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today