Social engineering is manipulation used to make a person reveal information, perform an action, grant access, send money, install software or trust an attacker. In cyber security, it is often used with phishing, impersonation, credential theft and fraud.
The technique works because people are part of every security system. Attackers exploit trust, pressure, routine, fear, curiosity, authority or helpfulness rather than relying only on technical vulnerabilities.
Common Techniques
Phishing
Phishing uses deceptive emails, text messages, websites or calls to trick a target into clicking a link, opening an attachment, entering credentials or approving a payment.
Pretexting
Pretexting uses a false story. An attacker might pretend to be from IT support, a delivery company, a bank, a supplier, a recruiter, a manager or a public authority.
Impersonation
Impersonation involves pretending to be a trusted person or organisation. It can happen by email, phone, social media, messaging apps or in person.
Baiting
Baiting offers something tempting, such as a free download, leaked file, fake invoice, voucher, game cheat or abandoned USB drive.
Tailgating
Tailgating, also called piggybacking, is physical access by following an authorised person into a controlled area.
Business Email Compromise
Business email compromise targets payment processes. Attackers may impersonate executives, suppliers or solicitors to redirect invoices or push urgent transfers.
Why It Works
Social engineering often succeeds because the request feels normal at the time. Attackers may use:
- Urgency, such as a deadline or threat of account closure.
- Authority, such as a manager or official body.
- Familiar branding or copied email signatures.
- Public information from social media and company websites.
- A small first request that builds trust before a larger one.
- Pressure to keep the request secret.
Prevention
Useful defences include:
- Multi-factor authentication, preferably phishing-resistant where possible.
- Clear payment verification processes.
- Staff training that encourages reporting rather than blame.
- Call-back procedures using trusted contact details.
- Limits on public information that helps attackers build convincing stories.
- Email filtering, domain protection and suspicious-link reporting.
- Separation of duties for high-risk actions.
Training works best when it reflects real workflows. People are more likely to report mistakes quickly if they believe the organisation wants early warning rather than punishment.
Practical Examples
Fake IT Support
An attacker phones an employee and claims to be from IT. They ask the employee to approve a login prompt or install a remote support tool. The technical attack depends on the social trick.
Supplier Bank Change
A finance team receives an email claiming that a supplier has changed bank details. A safe process would verify the change through a known phone number or contact route, not through the details supplied in the email.
Door Access
An attacker carrying boxes waits near a secure door and asks an employee to hold it open. The request feels polite, but it bypasses the access control system.
See Also
References
Discussion log
Use comments for sourcing notes, corrections, and disputed details.
No comments yet.