What Is Social Engineering?
Social engineering is a cyberattack technique that exploits human psychology rather than technical vulnerabilities to steal information. No matter how robust a security system is, it's meaningless if the person operating it can be deceived.
In the security world, it's often said that "the weakest link is the human element." Social engineering is the systematic exploitation of this human vulnerability.
Common Techniques
Phishing
Impersonating a legitimate organization through emails or websites to trick victims into entering login credentials or personal information. It's the most common form of social engineering, accounting for roughly 36% of all cyberattacks. For more details, see our email security guide.
Spear Phishing
A highly targeted phishing attack aimed at a specific individual or organization. The attacker researches the target's personal details — job title, colleagues' names, recent activities — to craft a convincing message.
Pretexting
Creating a fabricated scenario (pretext) to extract information from the target. For example, posing as an IT department employee and calling to say, "We need your password for a security check."
Baiting
Planting malware on physical media like USB drives or CDs and relying on curiosity to get someone to plug them in. Labels like "Salary List" or "Confidential" are attached, and the devices are left in office parking lots or shared spaces.
Tailgating
A physical intrusion technique where the attacker follows an authorized employee through a security gate or office entrance. Common tactics include carrying packages and asking someone to "hold the door."
Quid Pro Quo
An "I'll give you something in exchange for information" approach. For example, posing as a tech support specialist and offering to "fix your computer for free" to gain remote access.
Vishing
Also known as voice phishing, this is a phone-based phishing attack. The attacker impersonates a bank or credit card company, claiming "Fraudulent activity has been detected on your account" to extract card numbers or PINs.
Why People Fall for It
Social engineering succeeds because of psychological tendencies common to all humans:
- Obedience to authority: People tend to comply with instructions from superiors or official bodies
- Reciprocity: When someone does something for you, you feel compelled to return the favor
- Urgency: Time pressure impairs calm, rational judgment
- Liking: It's harder to refuse requests from people you find likable
- Social proof: "Everyone else is doing it" provides a sense of reassurance
- Scarcity: "Limited time" or "exclusive offer" triggers impulsive action
How to Protect Yourself from Social Engineering
Make Verification a Habit
Whenever an unexpected contact (email, phone call, message) asks for personal or authentication information, always verify the sender's identity through a separate channel. Don't use the phone number in the email — contact the organization directly through the number listed on their official website.
Minimize Your Public Information
Information you share on social media — employer, job title, birthday, family details — can be used as ammunition for spear phishing. Review your privacy settings and avoid sharing more than necessary.
Combine Technical Safeguards
- Enable two-factor authentication: Prevents unauthorized login even if your password is compromised
- Use a password manager: It won't auto-fill credentials on phishing sites, making fakes easier to spot
- Keep your email spam filter enabled
- Keep your OS and software up to date
Pause When Something Feels Off
If anything feels even slightly wrong, stop and think. Being rushed, asked to follow unusual procedures, or presented with an offer that seems too good to be true — these are all warning signs.