Social engineering is the activity of attempting to manipulate users or employees to reveal sensitive data, obtain unauthorized access, or unknowingly perform fraudulent activity, and it is increasingly becoming a problem for the U.S. government Contracting and Acquisition community. Even though there are improvements in technology that make both online and offline environments safer, the human factor is still a significant vulnerability. This is especially prevalent within the Government Acquisition community, where much of the labor is not automated, and therefore relies on human actors.
Sensitive information that is collected can be used as intelligence by nation state adversaries; it can enable fraudulent financial activity; and it can be deployed to interfere, influence, and disrupt sovereign national activities. Privileged access can also be leveraged—even without theft of information—as an avenue through which actors can travel to attack computer systems in kinetic ways to disrupt operations, damage equipment, or even harm personnel. The U.S. Government is not immune to this issue, losing hundreds of millions of dollars over the last decade due to social engineering attacks.
This paper addresses the impacts that social engineering can specifically have on U.S. government Contracting and Acquisition organizations, such as threats to the supply chain and deepfakes. Recommendations will also be made for how agencies can both recognize and prevent social engineering attacks from occurring, thus preventing damage, disruption, compromise, and the loss of resources.