Social engineering attacks include a large variety of ways to manipulate and deceive users. A specific type is semantic attacks that deceive rather than directly attack a user. We find here a taxonomy and description of semantic attacks indicating possible defenses. The taxonomy is based on analyzing how an attack handles the three distinct stages of an attack: orchestration, exploitation, and execution. These are well-chosen subgroups that provide a clear picture about the nature of the attacks and allow grouping of all the known attacks of this type.

A more general (in scope) threat classification uses threat patterns providing detailed descriptions of how the attacks reach their goals, and it is complementary to the one given here. Four examples illustrate the classification, followed by a table describing 30 attacks that have been found on the web. This is followed by a discussion of defense mechanisms, consisting of organizational and technical aspects. An attack and defense matrix summarizes this information, providing a mapping of defenses against semantic attacks. The paper ends with a section indicating open problems.

Overall, this is a very useful paper that provides a clear perspective of what we know about semantic attacks and what we need to study further. Because semantic attacks have many aspects in common with other types of attacks, this paper is highly recommended for anybody doing research on security threats as well as for architects and developers who have to build or evaluate secure systems.