Social engineering is the use of psychological manipulation to trick people into revealing confidential information, granting access, or taking actions that benefit an attacker. It bypasses technical defences entirely — no exploit needed when a helpful employee hands over the password. Most major breaches involve some element of social engineering, which is why it's often called "hacking the human."
Why social engineering works
Attackers exploit predictable cognitive biases and social norms rather than software vulnerabilities:
- Authority — people comply with requests from figures who appear senior, official, or expert. Attackers impersonate IT staff, executives, bank fraud teams or government agencies.
- Urgency — pressure to act fast overrides caution. "Your account will be suspended in 10 minutes" stops people thinking clearly.
- Reciprocity — doing someone a small favour first makes them feel obliged to help in return.
- Social proof — "Everyone in your team has already completed this" implies compliance is normal.
- Fear — threats of consequences (fines, lost access, embarrassing exposure) push people into reactive decisions.
- Liking and trust — we let our guard down with people we like or who seem familiar. Attackers research targets on LinkedIn to reference colleagues, recent events, job titles.
The main social engineering tactics
Phishing
Mass email attacks impersonating legitimate senders — banks, Microsoft, delivery companies, HMRC. Goal: steal credentials, install malware, or redirect payments. The volume makes up for the low hit rate. See our full guide on how to spot a phishing email.
Spear phishing
Targeted phishing using information gathered from LinkedIn, company websites, social media and previous data breaches. The attacker references real names, projects or events to make the message convincing. Used against specific individuals — usually executives, finance teams, or IT staff with privileged access.
Vishing (voice phishing)
Phone calls from attackers pretending to be IT support, bank fraud departments, government agencies or software vendors. They gather information, reset credentials, or direct victims to a malicious site or payment. AI voice-cloning has made this significantly more dangerous — attackers can now mimic the voice of a known colleague or executive convincingly.
Smishing (SMS phishing)
The same as phishing but delivered by SMS. Common lures include fake parcel delivery notifications, bank alerts, and one-time code requests. SMS creates a false sense of legitimacy and urgency that email has lost through familiarity.
Pretexting
The attacker creates a fabricated scenario (a "pretext") to extract information. Examples: posing as a new employee who needs help accessing a system; claiming to be an auditor who needs account details for a compliance check; impersonating a vendor who needs to verify bank details for an invoice. Pretexting often involves multiple interactions to build trust before making the actual request.
Baiting
Leaving physical USB drives in car parks, reception areas or post rooms labelled enticingly ("Salary review 2025", "Redundancy list") — the attacker relies on curiosity to get a target to plug one in. In digital form, baiting uses promised free downloads (cracked software, pirated films) to deliver malware.
Quid pro quo
Offering something in exchange for information or access — for example, posing as IT support offering to fix a problem in exchange for credentials. The "help" offered is real enough to build trust, but the attacker's real goal is the access they gained to perform it.
Tailgating / piggybacking
Physical access attack: following an employee through a secure door by acting as though you belong there — holding a laptop bag, a coffee tray, or boxes. People hold doors open out of politeness and rarely challenge someone who looks confident and purposeful.
Business Email Compromise (BEC)
Attackers compromise or spoof executive email accounts to direct finance staff to make fraudulent transfers or change supplier bank details. One of the most financially damaging forms of social engineering. Full breakdown in our BEC guide.
Real examples
- Twitter (2020) — attackers called Twitter employees, impersonated internal IT support, and convinced them to hand over VPN credentials. This gave access to high-profile accounts including Barack Obama, Elon Musk and Apple, which were used for a Bitcoin scam.
- RSA SecurID (2011) — an employee opened a phishing email with an Excel attachment titled "2011 Recruitment plan." The exploit gave attackers access to SecurID token data, which was later used to attempt attacks on Lockheed Martin and other defence contractors.
- Ubiquiti Networks (2021) — criminals impersonated the CEO and CFO via email, directing the finance team to make transfers totalling $46.7 million to attacker-controlled accounts.
How to defend against social engineering
Train your team — regularly
Security awareness training is the primary defence. People need to know what attacks look like and feel confident to question unusual requests. Run simulated phishing campaigns so staff experience attacks in a low-stakes environment. Training that happens once at onboarding is not enough.
Verify, don't assume
Build a culture where verifying identity is normal and not impolite. If someone calls claiming to be from IT and asks for credentials, call them back on a known number. If an executive sends an urgent payment request by email, confirm by phone or in person before acting.
Slow down urgency triggers
Urgency is the attacker's most effective tool. Train staff to pause and question any request that creates pressure to act fast. A real emergency from IT or a real bank will survive a five-minute verification call.
Least privilege access
Limit what any individual can do with their credentials. If a manipulated employee has minimal access rights, the damage is contained even if they're deceived.
Multi-factor authentication
MFA means stolen credentials alone aren't enough to gain access. Use app-based MFA (TOTP) rather than SMS, which is vulnerable to SIM-swapping and vishing attacks that intercept the code.
Processes for financial transfers
Always require a second approval channel for payment changes or large transfers — never from the same email thread that initiated the request. No single employee should be able to authorise a large payment based on an email alone.
DMARC and email authentication
A strict DMARC policy stops attackers spoofing your domain in emails targeting your staff, suppliers and customers. Run a free scan on your domain at Kalenfy to see your current email security posture.
FAQ
Is social engineering always digital?
No. Physical attacks like tailgating, dumpster diving for documents, and in-person pretexting are classic social engineering techniques. Digital attacks are more scalable but physical methods are still used in targeted operations.
Can technical controls stop social engineering?
Technical controls help (MFA, DMARC, email filtering, DLP) but they can't eliminate the risk because many attacks don't trigger technical defences — they manipulate people who have legitimate access. Training and process controls are essential alongside technical measures.
What should an employee do if they think they've been socially engineered?
Report it immediately to IT/security without fear of punishment. Early reporting limits damage — credentials can be reset, accounts can be locked, and the organisation can watch for follow-on attacks. A culture of blame stops people reporting, which is far more dangerous than the incident itself.