Sign in Subscribe
Social Engineering

Social Engineering in OT and IT Security

Abu Saleh Muhammad Zakaria

4 min read
Social Engineering in OT and IT Security

Industry reports show that 70–80% of OT attacks come through the IT network, mainly via email-based social engineering. OT environments are very different from IT, visibility is critical, and even a small mistake can risk lives or cause large-scale damage. Continuous monitoring of OT assets, knowing who’s communicating with what, and enforcing strict access is essential. Tools like Dragos Platform, Nozomi Network, and Claroty help with this.

In most setups, Level 3.5 and above falls under the IT network. To protect OT, we allow traffic from OT to IT but block IT-to-OT traffic. Still, the IT network must be secured too. This article explains the common social engineering tactics attackers use and how to defend against them. However, the IT network also needs strong protection. This article explains common social engineering tactics used by attackers and how to defend against them.

What Is Social Engineering?

Social engineering is a cyber attack that uses psychological manipulation to trick individuals into divulging sensitive information or performing harmful actions, as defined by NIST. Attackers frequently develop new techniques, but most attacks follow five common patterns: Urgency, Authority, Scarcity, Trust, and Fear. Below, we explore each pattern with examples.

1. Urgency – Creates panic to rush actions

Examples:

  • "Act now or lose access to your account!" (Forces quick action without thinking.)
  • "Your account will be locked in 30 minutes—verify now!" (Triggers panic.)
  • "Last chance! Unpaid invoice will lead to legal action—pay immediately!" (Pushes rushed response.)

    Urgency is a red flag. If something feels unusually urgent, pause and verify.

2. Authority – Pretends to be a powerful figure

Examples:

  • "This is the CEO, send me the employee payroll list now." (Impersonates an executive.)
  • "I'm from IT support, provide your login to fix the issue."
    (Uses IT role to pressure compliance.)
  • "This is HR. Send me your ID and contract for an urgent audit." (Pretends to be from Human Resources.)
  • "I’m from the government tax office, share your financial records now." (Uses government position.)
  • "Police Cyber Unit here. We detected illegal activity. Confirm your credentials to avoid arrest." (Uses fear and fake authority.)
  • "I’m your manager. Approve this wire transfer immediately." (Spoofs a boss for financial action.)
  • "As per company policy, IT must install this software update, provide access now." (Mimics official policy.)

3. Scarcity – Claims limited time or access

Examples:

  • "Only 5 licenses left, claim yours now!" (Pushes quick action with limited availability.)
  • "Offer expires in 10 minutes, download now!" (Creates time pressure.)
  • "Only the first 100 users get access." (Triggers fear of missing out.)
  • "Exclusive access for today only, ACT FAST!!" (Pretends limited-time deal.)
  • "Your account storage is almost full, upgrade immediately." (Fakes limited resources.)

4. Trust – Uses familiar names or tone to lower defenses

Examples:

  • "Hi, I’m from Microsoft support. I’m here to help fix your PC." (Fakes a trusted brand.)
  • "This is your bank. We noticed unusual activity, please verify." (Uses familiar institution.)
  • "Hey, it’s John from the finance team. Can you help with this payment?" (Pretends to be a coworker.)
  • "I’m with the government health department. Fill out this form for benefits." (Uses official-sounding role.)
  • "We met at last week’s conference. Can you check this file for me?" (Creates fake personal connection.)

5. Fear – Threatens serious consequences

Examples:

  • "Your account has been hacked, reset your password now!"
    (Creates panic.)
  • "We found illegal files linked to your National ID / Aadhaar Card / Social Security Number. Confirm your ID to avoid arrest." ( Digital Arrest in India , Threatens legal trouble.)
  • "Your bank account will be frozen, verify your info immediately." (Pushes fear of losing money.)
  • "Security alert: Someone tried to access your email. Click here to secure it." (Fakes a breach.)
  • "You missed a court summons. Pay the fine now to avoid jail." (Uses legal fear to force payment.)

Types of Social Engineering Attacks

1. Phishing

Phishing tricks people into giving up credentials via fake emails, texts, or websites. Attackers often use AI tools like ChatGPT to craft convincing messages with proper grammar, making detection harder.

How to Protect: Train Users regularly and tell them,

  • Don’t click unknown links or download attachments.
  • Check email addresses carefully (e.g., goog1e.com vs. google.com).
  • Watch for subtle red flags, though AI reduces grammar errors [4].
  • Never share passwords or personal info by email.
  • Use anti-phishing tools and keep systems updated, as recommended by CISA
  • Enable multi-factor authentication (MFA).

    Key Tip: Stay alert. If something feels off, double-check.

2. Pretexting & Quid Pro Quo

Pretexting: Attackers fake a role (e.g., IT support, police) to trick you into giving info.
Quid Pro Quo: Attackers offer help or rewards in exchange for access.
How to Protect: Train user and tell them

  • Don’t share info with unknown callers.
  • Verify identities before sharing anything.
  • Educate teams with training and simulations [6].
  • Use strong passwords and MFA [2].
  • Monitor accounts for suspicious activity.

3. Baiting

Baiting lures victims with fake rewards, like free downloads or prizes, to share info or install malware.
How to Protect: Tell user that there is no free lunch in this world.

If something is too good to be true! Its probably a SCAM

  • Be skeptical of offers that seem “too good to be true.”
  • Verify the source of downloads.
  • Don’t enter personal info without verifying trust.
  • Use updated anti-malware tools.
  • Train staff to recognize bait traps.

4. Tailgating (Physical Intrusion)

Tailgating occurs when attackers physically follow someone into a secure area without permission, a key concern in OT environments.
How to Protect: Train user and tell them

  • Don’t let unknown people follow you into restricted zones.
  • Use access cards, turnstiles, or biometric systems.
  • Train employees to challenge tailgaters politely.
  • Monitor access logs and use security staff and cameras.

So finally, social engineering exploits human psychology through urgency, authority, scarcity, trust, and fear.

Strong MFA, User Awareness Training and Zero Trust Important. Prevention starts with awareness. Run regular training and phishing simulations (e.g., KnowBe4) to test users. Social engineering targets people, not just systems, making it harder to catch. Effective cybersecurity combines strong technical defenses (e.g., MFA, anti-malware) with educated users, as emphasized in NIST guidelines .

Note: All the arc

References

[1] Dragos, 2023 OT Cybersecurity Year in Review, 2024. https://www.dragos.com/year-in-review/
[2] NIST, SP 800-53: Security and Privacy Controls for Information Systems, 2020. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf
[3] Mitnick, K., & Simon, W. L., The Art of Deception, 2002. https://www.wiley.com/en-us/The+Art+of+Deception-p-9780764542800
[4] Barracuda Networks, 2023 Spear Phishing Trends Report, 2023. https://www.barracuda.com/reports/spear-phishing
[5] CISA, Avoiding Social Engineering and Phishing Attacks, 2022. https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-223a
[6] KnowBe4, 2024 Phishing by Industry Benchmarking Report, 2024. https://www.knowbe4.com/phishing-benchmarking-report
[7] IEC 62443, Security for Industrial Automation and Control Systems, 2023. https://www.iec.ch/system/files/2023-10/IEC_62443-4-2_2019-02_en.pdf