MODELING AND EXECUTION OF SOCIAL ENGINEERING ATTACKS

DOI: 10.31673/2412-4338.2026.019013

Authors

Abstract

Social engineering attacks, particularly phishing, remain among the most prevalent threats to information security, as they exploit users’ cognitive biases alongside technical system vulnerabilities. Humans, being the weakest link in the security chain, become the primary targets for manipulations based on emotions, trust, or insufficient awareness. Social engineering acts as the initial vector that paves the way for technical methods, forming a unified attack. In the context of modern challenges, such as hybrid warfare, attackers can use social engineering to spread disinformation while combining it with technical attacks on critical infrastructure. This makes such attacks a national security concern, requiring the integration of psychological and technological defense strategies. Protection against social engineering attacks necessitates a comprehensive approach that includes personnel education, attack simulations, and the use of automated detection systems. This paper examines the modeling and practical implementation of phishing attack simulations using the GoPhish platform. A methodology for campaign design is presented, encompassing message template creation, campaign configuration, automated data collection, and real-time monitoring of user behavior. Data obtained during simulations are analyzed to identify behavioral patterns and assess the vulnerability of specific organizational units. Based on the results, recommendations are formulated to enhance the effectiveness of multi-layered defenses, integrating data from multiple campaigns to enable long-term monitoring and risk mitigation. The use of automated platforms for simulating phishing campaigns provides a controlled environment for studying social engineering, supporting both research activities and the improvement of user awareness. 

Keywords: сybersecurity; social engineering; phishing; attack; vulnerability.

References

  1. Wang, Z., Sun, L., & Zhu, H. (2020). Defining social engineering in cybersecurity. IEEE Access, 8, 85094–85115. https://doi.org/10.1109/access.2020.2992807
  2. Wang, Z., Zhu, H., Liu, P., & Sun, L. (2021). Social engineering in cybersecurity: A domain ontology and knowledge graph application examples. Cybersecurity, 4(1). https://doi.org/10.1186/s42400-021-00094-6
  3. Siddiqi, M., Pak, W., & Siddiqi, M. (2022). A study on the psychology of social engineering-based cyberattacks and existing countermeasures. Applied Sciences, 12(12), 6042. https://doi.org/10.3390/app12126042
  4. Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future Internet, 11(4), 89. https://doi.org/10.3390/fi11040089
  5. Akyesilmen, N., & Alhosban, A. (2024). Non-technical cyber-attacks and international cybersecurity: The case of social engineering. Gaziantep University Journal of Social Sciences, 23(1), 342–360. https://doi.org/10.21547/jss.1346291
  6. Aldawood, H., & Skinner, G. (2020). An advanced taxonomy for social engineering attacks. International Journal of Computer Applications, 177(30), 1–11. https://doi.org/10.5120/ijca2020919744
  7. Chen, F., Wu, T., Nguyen, V., & Rudolph, C. (2025). SoK: Large language model-generated textual phishing campaigns—End-to-end analysis of generation, characteristics, and detection. arXiv. https://doi.org/10.48550/arXiv.2508.21457
  8. Khadka, K., Ullah, A. B., Ma, W., & Martinez Marroquin, E. (2024). A survey on the principles of persuasion as a social engineering strategy in phishing. arXiv. https://doi.org/10.48550/arXiv.2412.18488
  9. Schmitt, M., & Flechais, I. (2024). Digital deception: Generative artificial intelligence in social engineering and phishing. Artificial Intelligence Review. https://doi.org/10.1007/s10462-024-10973-2
  10. Santosa Pohan, D., Irfan, D., Fitriyani, I. N., Hasibuan, Y. I. M., & Chayani, I. (2025). Simulation and detection of phishing attacks on student academic emails using social engineering techniques. International Journal of Health Engineering and Technology, 2(4). https://doi.org/10.55227/ijhet.v2i4.283
  11. Marchenko, V. V., Chaikivskyi, V. V., & Pryima, O. O. (2024). Method for increasing personnel awareness of information security using the GoPhish software application. Systemy i tekhnolohii zviazku, informatyzatsii ta kiberbezpeky, 1(6), 116–126. https://doi.org/10.58254/viti.6.2024.09.116
  12. Bokhonko, O., & Lysenko, S. (2025). Models of social engineering attacks. Measuring and Computing Devices in Technological Processes, 1, 432–444. https://doi.org/10.31891/2219-9365-2025-81-55
  13. Haidur, H. I., Hakhov, S. O., Marchenko, V. V., & Haidur, K. V. (2024). Conceptual model for detecting phishing attacks based on support vector machine methods. Suchasnyi zakhyst informatsii, 2, 24–33. https://doi.org/10.31673/2409-7292.2024.020003
  14. The human factor in cybersecurity: Understanding psychology, training efficacy, and error reduction strategies. (2025). ResearchGate. https://www.researchgate.net/publication/387971383
  15. Kim, S. (n.d.). Cognitive biases in social engineering attacks: Implications for user training. Journal of Cybersecurity Research, 9(2), 150–165.
  16. Sokolov, V. Yu., & Kurbanmuradov, D. M. (2018). Methodology for counteracting social engineering at information activity objects. Cybersecurity: Education, Science, Technique, 1(1), 6–16.

Downloads

Published

2026-04-01

Issue

No. 1 (2026)

Section

Articles