How to Recognize Social Engineering and Block the Modern Kill Chain

    June 24, 2025
    Social engineering remains one of the easiest ways for cybercriminals to penetrate enterprise defenses; however, trained employees can disrupt the modern kill chain before it begins.
    Credit: MTStock Studio
    Phishing is one of the most common and easily executed cyberattacks. Almost everyone with an email address or a mobile device has encountered a phishing scam before.
    Phishing is one of the most common and easily executed cyberattacks. Almost everyone with an email address or a mobile device has encountered a phishing scam before.

    The Skinny

    •  Social engineering is the linchpin of modern cyberattacks, allowing threat actors to steal credentials and gain rapid access to cloud systems and sensitive data.

     

    •  Phishing tactics have evolved, with smishing, spear phishing, and executive impersonation becoming increasingly sophisticated and more complex to detect.

     

    •  Proactive employee education, mobile EDR, and MFA are critical to preventing attacks before they escalate through the kill chain.

    Suppose an employee opened their text messages and found this waiting for them:

    “Did you just log in from a new iPhone in Salt Lake City, UT?  If this were you, you may ignore this message.  If this was not you, please click the link below to secure your account.”

    Would they recognize this message as a phishing attempt? According to the 2024 Mobile Security Index from Verizon Business, “25% of mobile users tapped on at least one phishing link every quarter in 2023.” Considering that 90% of American adults own smartphones, that’s nearly a billion cybercrimes waiting to happen.

    Phishing and other forms of social engineering represent an integral step in the modern kill chain. By deceiving, coercing, or otherwise manipulating legitimate employees, threat actors can steal login credentials to hijack cloud resources.

    A skeptical, well-educated workforce is a crucial component of your defense against social engineering attacks. Unless you teach your staff to recognize and mitigate common psychological tricks used in cyberattacks, your organization could be one click away from a significant data breach.

    Employee Education as a Modern Kill Chain Defense

    A “kill chain” is a cybersecurity concept that originated from military terminology. In armed warfare, a kill chain refers to the process of identifying, tracking, and engaging targets. Similarly, the modern kill chain in cybersecurity has five discrete steps:

    1.  Reconnaissance: A threat actor researches an organization’s employees via social media or public staff directories.
    2. Social engineering: Through phishing, executive impersonation, watering holes, or similar methods (discussed below), a threat actor steals legitimate login credentials.
    3. Initial access: The threat actor successfully infiltrates an organization’s network.
    4. Data theft: With full access to an organization’s cloud storage and apps, a threat actor performs a mass download of sensitive data.
    5. Extortion: The threat actor makes demands, installs ransomware, or sells private information on the dark web.

    A skilled cybercriminal can execute the entire modern kill chain, start to finish, in mere minutes.

    The second step is the only part of the process where the average employee can mount a meaningful defense. As such, everyone in your organization should learn to recognize and respond to standard social engineering techniques, especially phishing.

    Types of Phishing

    Phishing is one of the most common and easily executed cyberattacks. Almost everyone with an email address or a mobile device has encountered a phishing scam before.

    Employees should always be vigilant for this type of social engineering. In the past, phishing scams were relatively easy to spot, as they contained unrealistic URLs, bogus email addresses or unknown phone numbers, and poor spelling and grammar. Now, email spoofing and convincing copies of single sign-on (SSO) login pages can make phishing messages almost indistinguishable from the real thing.

    In addition to email phishing, employees should know about:

    Spear Phishing

    Most phishing schemes employ “spray-and-pray” tactics, impersonating huge companies and targeting anyone with an active email address. However, sophisticated threat actors can also target individuals or small groups within a particular organization. This is known as spear phishing, and it’s often difficult to spot. Spear phishers may impersonate friends or coworkers, gathering as much information as possible about a person through social media or direct correspondence. Once they gain a worker’s trust, they can steal login credentials much more easily.

    Smishing

    Smishing is a portmanteau of Short Message Service (SMS) and phishing. Smishing is identical to phishing, save that it occurs via text message rather than email. However, that one slight difference can make smishing much more dangerous. Simply knowing a target’s phone number is a risk in and of itself. Messaging apps may have fewer protections against malicious links than email clients. If an attacker spoofs a loved one’s phone number, an employee may not even know how to be on guard.

    Executive Impersonation

    Also called CEO fraud or whaling phishing, executive impersonation is a common form of phishing in the business world. A threat actor emails or texts an employee, claiming to be a member of the organization’s C-suite. They need an urgent fund transfer, access to sensitive company files, or a password — and if the employee doesn’t comply, the “executive” could fire them. Executive impersonation can be a particularly plausible form of phishing, as the average employee is unlikely to know the CEO’s cell phone number offhand.

    Vishing

    Voice phishing, also known as vishing, utilizes phone calls instead of written messages. A threat actor calls an employee claiming to be a vendor, law enforcement agency, or colleague from another department. From there, the attacker can employ all the standard phishing techniques (misdirection, intimidation, urgency, and so on) to trick the worker into divulging login details or other privileged information.

    Other Common Cyber Threats

    Phishing is not the only type of social engineering that employees need to be aware of. A few other examples include:

    ● Pretexting: A form of social engineering that dates back hundreds of years, pretexting involves creating a convincing story. Instead of simply sending an email with a fake login page and hoping for the best, the cybercriminal creates a believable situation that requires the employee to respond, such as fraudulent purchases on a company credit card or an unpaid vendor threatening to sue if they don’t receive their money immediately. Pretexting can be especially convincing if a threat actor communicates via phone or in person.

     Scareware: A staple of shady websites the world over, scareware tricks employees into visiting malicious links by alerting them to “problems” with their computer or mobile device. A pop-up ad might claim that your device is infected with dozens of viruses, but a free app can supposedly fix the issue. Scareware typically tricks users into downloading malware or divulging sensitive information to fake Single Sign-On (SSO) pages.

    ● Watering holes: A watering hole attack hijacks an otherwise secure website and uses it as a platform to spread malware. This type of social engineering is effective when a threat actor knows that members of a particular organization frequently visit a specific site. Once an attacker compromises that site, they can force automatic malware downloads or redirect legitimate login pages to fake ones.

    Protect Yourself from Social Engineering Attacks

    Every social engineering attack is different, so there’s no realistic way to predict and deter every single one. However, by following a few simple best practices, you can equip both your employees and their devices with the necessary tools to stay safe.

    • Mobile endpoint protection

    A mobile endpoint detection and response (EDR) solution can help your organization monitor threats to user devices and respond in real time. Mobile EDR utilizes comprehensive threat databases, behavioral analytics, and continuous monitoring to detect potential intruders in your system and assist you in removing them. These solutions can also help block activity from malicious links and apps.

    • Multi-factor authentication

    Most phishing attempts aim to acquire usernames and passwords. However, if employees have multi-factor authentication (MFA) enabled on their accounts, usernames and passwords alone won’t be enough to log in. MFA uses apps or SMS to send additional authorization codes that expire after a minute or two. This means that stealing credentials won’t necessarily give a threat actor network access unless they’ve also stolen an employee’s mobile device.

    · Security awareness training

    While cyber criminals are constantly refining their methods, they still tend to fall back on a few bad habits. They attempt to circumvent their victims’ critical thinking skills through deceptive and intimidating tactics. Once you educate your employees on how cybercriminals operate, they’ll know how to defend themselves and your organization. Organize workshops, write newsletters, and create online resources to help them recognize social engineering attempts. Additionally, please provide them with a clear and straightforward way to report these incidents.

    Stop the kill chain in its tracks. As cyber threats evolve, cybersecurity frameworks must move from reactive to proactive approaches. Cleaning up malware and repairing files after a data breach is not as effective as preventing that breach in the first place. Social engineering can provide an easy entryway into the modern kill chain — or it can be an opportunity for your employees to thwart threat actors before any damage occurs. The modern kill chain poses a significant threat to organizations; a savvy workforce, on the other hand, represents an effective defense.

    About the Author

    David Richardson | VP of Endpoint and Threat Intelligence, Lookout

    David Richardson is the Vice President of Endpoint and Threat Intelligence at Lookout, where he is responsible for developing and delivering cutting-edge AI-based security solutions to protect individuals and enterprises from cyber threats. David took this expanded role after 11 years of service to Lookout in a variety of roles throughout engineering, product management and product strategy; most recently, leading all enterprise product lines. David has been hacking on mobile devices since the early days of Palm and Windows Mobile. He is a frequent speaker at security conferences discussing new threat vectors he has discovered to attack Android and iOS devices. David has over 50 patents issued, most of which pertain to finding novel ways to secure mobile devices.