Social Engineering and Cyber Security Resilience
Role of the National Cyber Security Centre (NCSC)
The GCSB manages two missions: intelligence and cyber security; the NCSC delivers the cyber security mission.
NCSC serves as the Lead Cyber Security Agency with a whole-of-economy mandate.
NCSC integrates CERT NZ functions to support organizations of national significance and raise national cyber resilience.
Social Engineering Fundamentals
Humans are perceived as both the weakest and strongest links due to existing system access and susceptibility to deception, pressure, and distraction.
Exploits human psychology through triggers: fear, urgency, trust in authority, and current events (politics, war).
Commonly used by cyber criminals, organized crime groups, and state-sponsored actors because it is often cheaper and more effective than direct technical attacks.
Attack Vectors and Case Studies
Phishing: Significant incidents include the Google and Facebook attack (2013-2015) and SMS phishing (smishing) against NZ brands and Op Cargo.
Vishing: IT help desk attacks (2025) involving Marks & Spencer, Co-Op, Harrods (attributed to ScatteredSpider), and the MGM attack (ALPHV/BlackCat ransomware).
Pre-texting: Mentioned in the context of Ubiquiti Networks Inc.
Baiting: Exemplified by Operation Buckshot Yankee.
Quishing and Homograph Attacks
Quishing (QR code phishing) utilizes machine-readable URLs to facilitate credential harvesting.
Homograph Attack: A technique using visually identical characters from different scripts to spoof domains.
Example: Legitimate URL
https://puaha.wgtn.ac.nz/SignInvs. a fake URLhttps://puaha.wgtn.аc.nz/SignInusing a Cyrillic 'a' ().Browsers may decode the fake domain as
https://puaha.wgtn.xn--c-7sb.nz.
Defense and Mitigation Strategies
Education: Focused on awareness training to mitigate human error.
Technical Resilience: Implementation of Passkeys/MFA (Multi-Factor Authentication).
Architecture: Utilization of Network Segmentation and Access Control to limit the impact of a breach.