Understanding Social Engineering attacks at CHI 2025

This April, I’ll be presenting my research on social engineering attacks at the 2025 ACM Conference on Human Factors in Computing Systems (CHI) in Yokohama, Japan. CHI brings together a global community of researchers, designers, and practitioners who explore the future of how humans interact with technology. As the premier conference on Human-Computer Interaction, this is the place where ideas and breakthroughs take shape in usability, interaction design, and user-centered computing.

CHI conferences embrace an inclusive, responsible, and forward-looking technology design. Hosted in Yokohama, one of the first port towns to open to foreign trade in Japan, the conference adopts the ‘Ikigai’ 🌸 theme which refers to giving a person a sense of purpose and balance. With thousands of attendees from academia and industry, CHI is a great place to spark collaborations and share ideas across disciplines.

Social Engineering

Among the wide range of interdisciplinary topics at CHI, security and privacy is high on the agenda. In particular, human-centered security acknowledges that humans are a critical part of any system’s attack surface. Social engineering exploits this reality to bypass technical controls by deceiving the user behind the system. The most common form of social engineering – phishing –  accounts for 20% of all breaches and overall 68% of breaches involved a human element in 2024 (2024 Verizon Data Breach Report).

Understanding why and when phishing attacks work is notoriously challenging. Due to the large variability in situational and human-related factors, it’s difficult to predict when an attack will succeed — and, therefore, how to effectively defend against it.

Together with my co-authors Luca Allodi and Nicola Zannone at Eindhoven University of Technology, we investigated how scientists study and simulate various forms of social engineering attacks. Our goal is to understand current knowledge gaps and how to improve our defenses against social engineering.

We reviewed 169 experimental studies, analyzing among others:

• The type of attacks simulated (email, SMS, voice calls, etc.)
• The target population (employees, students, etc.)
• How personalized the attacks are (generic vs. spear-phishing)
• The cognitive features exploited (e.g., attention, cognitive biases, etc.)

For example, the figure shows the distribution of studies across media types and the targeted populations used in the experiments. You can immediately spot the prevalence of emails and websites, as opposed to social networks (SNS) or messaging: one experiment simulated an attack against company employees by infiltrating a closed LinkedIn group and sending malicious links; another example concerns posted QR codes (physical media) with malicious links on parking terminals to scam victims with fake parking tickets.

Key findings

From this systematic literature review, several key findings emerged:

Oversimplified attack models: most studies simulate basic, single-step phishing emails. But in the real world, attacks are often multi-step and increasingly multi-modal (e.g., QR code → fake website → fake app, or email → fake website → follow-up call).

Weak personalization modeling: around 36% of studies personalize attacks to a given population (e.g., a specific organization), and a mere 2% target specific individuals. This is a massive gap considering that attackers today can craft highly personalized messages using public and leaked data (e.g., LinkedIn, data dumps) and scale them using AI tools.

Uncaptured attack surface: contextual factors — such as device used, timing, or workload — are rarely considered but often decisive for the success or failure of attacks. Cognitive elements like systematic vs. heuristic thinking are also underexplored. This is where the so-called ‘persuasion techniques’, like authority and scarcity, make us vulnerable to deception.

Inconsistent outcome measures: Many experiments stop at whether users click a link. But this overlooks the remaining parts of the attack chain (credential submission, malware execution) and misses insights into why people click — their reasoning, heuristics, and awareness.

Implications for practice

These findings lead to some practical implications for information security practitioners:

• Many organizational training programs focus solely on email. It’s time to expand to other media like messaging apps and social networks.
• The effectiveness of an attack varies with its pretext, personalization, and the user’s context at the moment of the attack. With general purpose AI and leaked personal data, attackers can easily scale and tailor their campaigns and craft deepfake voice and video artefacts. Security testing exercises should reflect this reality. Instead of generic phishing emails, consider varying pretexts and personalization levels (see the “phishing difficulty scale”).
• Measuring only click rates in embedded phishing exercises doesn’t capture the true security posture. A click doesn’t always mean compromise. Instead, include the full attack chain, e.g., fake websites, MFA bypass, or malicious attachments. Even better — measure the context of failures (when, where, and how people fall for it) and whether the incident was reported.

Security testing, awareness programs and incident response procedures are all key parts of a functional Information Security Management System (ISMS). At the ICT Institute, we carry out security audits, provide security advice and assist organizations implementing their ISMS. We regularly publish explanation articles and free templates, such as  setting up an incident register. Check out how can we assist you in improving your organization’s security posture.

Conclusions

Here you can find a short video presentation of the paper: https://youtu.be/Nuw3dbGH5E8. For those who want to take a deeper dive, you can check out the full paper (Open Access) and other publications on my website.

Presenting this research at CHI is a great reminder: defending against cybersecurity attacks isn’t just a technical task — it’s a human one, too. If you need help to reduce the chance and impact of phishing attacks in your organization, don’t hesitate to reach out to us using the contact information in our website footer.

Photo by Kazushi Saito on Unsplash