Cyber Threats & Countermeasures

Social Engineering

About 4 min read

Last updated: 2026-02-12

What Is Social Engineering

Social engineering is a broad category of attack techniques that exploit human psychological weaknesses - rather than technical means - to obtain confidential information or trick people into performing unauthorized actions.

No matter how advanced a security system is, it becomes meaningless if the person operating it is deceived. In the security world, it is said that "the weakest link is the human," and in fact, over 90% of cyberattacks involve some form of social engineering. Technical defenses alone are insufficient; human awareness is equally critical.

Common Tactics

  • Pretexting: Impersonating IT support, a bank employee, or a police officer and using a plausible pretext to extract passwords or personal information. Common pretexts include "for a security verification" or "to recover from a system outage."
  • Baiting: Leaving malware-loaded USB drives in parking lots or offices for someone to pick up and plug in. Curiosity drives the victim to connect the device, infecting their system.
  • Tailgating (Piggybacking): Following an authorized person through a secured door. Carrying boxes or wearing a delivery uniform exploits social norms of politeness.
  • Quid Pro Quo: Offering something in return - such as "free tech support" - to get the victim to install remote access software or reveal their password.
  • Phishing: The digital form of social engineering. Uses email, SMS, or fake websites to steal credentials. The most prevalent social engineering technique by volume.

Psychological Techniques Exploited by Attackers

Social engineering skillfully exploits human cognitive biases and psychological tendencies.

  • Obedience to Authority: When someone impersonates a boss, IT department, or police, people tend to comply without question. Business Email Compromise (BEC) attacks disguised as "urgent instructions from the CEO" exploit this tendency.
  • Creating Urgency: Phrases like "act now or your account will be locked" suppress rational thinking and push victims into hasty action. Time pressure is the most commonly used psychological lever.
  • Reciprocity: When someone does you a favor, you feel obligated to return it. Attackers offer small help first, then make their real request.
  • Social Proof: "Everyone else has already done this" or "your colleagues have all completed this step" leverages the tendency to follow the crowd.
  • Liking and Trust: People are more likely to comply with requests from someone they like. Attackers build rapport through small talk and shared interests before making their move.

Defense Strategies for Organizations and Individuals

Defending against social engineering requires both technical and human countermeasures.

Organizational Measures

  • Security Awareness Training: Conduct regular simulated phishing exercises to measure and improve employee response. Annual classroom training alone is insufficient.
  • Information Classification and Least Privilege: Classify confidential information and grant access only to those who need it. Even if one employee is compromised, the damage is contained.
  • Verification Procedures: Establish procedures to verify identity through a separate channel (e.g., calling back on a known number) for requests involving money transfers, password resets, or access changes.

Individual Measures

  • Verify Before Acting: For any unexpected request, verify through an independent channel before responding. Do not use contact information provided in the suspicious message itself.
  • Limit Information Sharing: Minimize personal and organizational information shared on social media. Attackers use publicly available information to craft convincing pretexts.
  • Trust Your Instincts: If something feels off - unusual urgency, unexpected requests, or emotional pressure - pause and verify. Discomfort is often a signal that something is wrong.

To learn more about this topic, see What Is Social Engineering? Cyber Attacks That Exploit Human Psychology.

Common Misconceptions

Social engineering only fools people who are not tech-savvy
Even security experts can be deceived. Attackers target human psychological weaknesses (urgency, authority, goodwill) rather than technical knowledge, so high IT literacy alone is not a defense.
Social engineering is only an email problem
Phone calls, in-person interactions, social media, and physical methods (leaving USB drives, impersonating visitors) are all used as attack vectors. Email filtering alone is an insufficient countermeasure.
Share

Related Terms

Phishing An attack method that impersonates legitimate organizations, banks, or individua… Credential Stuffing An automated attack that takes leaked username and password combinations from pa… Two-Factor Authentication (2FA) A security method that requires an additional authentication factor beyond a pas… Ransomware Malware that encrypts files and entire systems on infected devices, then demands… Data Breach An incident where personal information or confidential data held by an organizat… Digital Identity Theft A criminal act involving the unauthorized acquisition and misuse of someone's pe…

Related Articles

What Is Social Engineering? Cyber Attacks That Exploit Human Psychology Understand common social engineering tactics, real-world examples, and practical measures to avoid b… How to Spot Phishing: A Practical Checklist to Avoid Scams Learn the latest phishing tactics and specific checkpoints to identify fake websites and fraudulent … Digital Identity Theft: How It Happens and How to Protect Yourself Understand the tactics behind online identity theft, what to do if you become a victim, and concrete…
← Glossary