What Is Social Engineering
What Is Social Engineering? The Complete Guide With Real Examples
Social engineering is the art of manipulating people into giving up confidential information or performing actions that compromise security — and it is responsible for over 90% of successful cyberattacks worldwide.
What Is Social Engineering?
Social engineering is a manipulation technique that exploits human psychology rather than technical vulnerabilities to gain unauthorised access to systems, data, or physical locations. Instead of breaking through a firewall or cracking a password, a social engineer simply tricks a person into handing over the keys themselves.
The term covers a broad spectrum of attacks — from a phone call impersonating a bank representative to an elaborate months-long campaign targeting a specific executive at a multinational company. What all social engineering attacks share is that they bypass technology entirely and target the weakest link in any security chain: the human being.
This is why social engineering is so devastatingly effective. You can install the most sophisticated cybersecurity infrastructure in the world — firewalls, endpoint protection, multi-factor authentication, intrusion detection systems — and a single phone call to the right employee, using the right script, can render all of it irrelevant in under three minutes.
The Verizon Data Breach Investigations Report consistently finds that the vast majority of data breaches involve a human element — and social engineering is the primary mechanism through which that human element is exploited. Understanding how these attacks work is not just relevant for security professionals. It is essential knowledge for anyone who uses the internet, owns a bank account, or works in an organisation — which is to say, almost everyone.
How Social Engineering Works: The Psychology Behind It
Social engineering is fundamentally an exercise in applied psychology. Skilled attackers do not need technical knowledge — they need to understand how people think, what makes them comply, and which cognitive shortcuts they can exploit. The most effective social engineers study their targets carefully before making contact and craft their approach around specific psychological triggers.
The Six Principles of Influence
Robert Cialdini's six principles of influence, originally documented in the context of legitimate persuasion, are the same mechanisms that social engineers weaponise. Understanding these principles is the foundation of both recognising and defending against manipulation.
- Authority: People comply more readily with requests from figures of authority — IT administrators, bank officials, law enforcement, senior management. An attacker impersonating a CEO or government representative immediately triggers deference in most targets.
- Urgency and Scarcity: Time pressure disables careful thinking. "Your account will be closed in 24 hours unless you verify your details immediately" is a classic urgency trigger that causes people to act before thinking critically.
- Social Proof: "Everyone else in your department has already completed this security update" reduces resistance by implying non-compliance is the outlier behaviour.
- Liking: People are more likely to comply with requests from people they like or feel a connection with. Attackers who spend time building rapport — sometimes over weeks — exploit this principle to devastating effect.
- Reciprocity: When someone does something for you, you feel obligated to return the favour. An attacker who provides something useful before making a request significantly increases their chance of compliance.
- Commitment and Consistency: Once someone has taken a small action — agreed to a minor request, confirmed their name and role — they are psychologically primed to continue complying to remain consistent with their previous behaviour.
Sophisticated social engineers layer multiple principles simultaneously. An attack might begin with a small helpful action (reciprocity), establish authority through a convincing persona, then apply urgency to close the interaction before the target has time to reconsider. This layered approach is what makes experienced social engineers extraordinarily difficult to resist even for well-trained individuals.
The Four Phases of a Social Engineering Attack
- Reconnaissance: The attacker gathers information about the target — their name, role, colleagues, company systems, recent events, and personal details. LinkedIn, company websites, social media, and public records are primary sources. This phase can take days or weeks for high-value targets.
- Building a Pretext: Using the gathered information, the attacker constructs a believable scenario — a persona, a story, and a reason for making contact that will seem legitimate to the target.
- The Attack: The attacker makes contact and executes the manipulation, using the psychological triggers above to elicit the desired action — a password, a file transfer, physical access, or a credential submission.
- Exit: The attacker disengages cleanly, ideally leaving the target unaware that anything unusual occurred. In some cases the target is left with a plausible explanation for the interaction that prevents them from reporting it.
Every Type of Social Engineering Attack Explained
Social engineering is not a single technique — it is a category of attacks encompassing dozens of distinct methods delivered across multiple channels. The following covers every major type, how it works, and how it appears in practice.
Phishing
Phishing is the most widespread social engineering attack and the entry point through which the majority of data breaches begin. An attacker sends a fraudulent email that appears to come from a trusted source — a bank, an employer, a government agency, or a familiar service like Google or Microsoft — and directs the recipient to a fake website where their credentials are harvested, or includes a malicious attachment that installs malware when opened.
Phishing campaigns range from mass-sent generic emails designed to catch a small percentage of a large audience, to highly targeted spear phishing attacks crafted specifically for a single individual using detailed personal and professional information gathered in advance.
Spear Phishing
Spear phishing is phishing with precision targeting. Where generic phishing casts a wide net, spear phishing is a carefully aimed strike at a specific individual. The email will reference their name, their role, their colleagues, recent company events, or specific projects they are working on — details that make the message appear unmistakably legitimate. Spear phishing is the attack vector most commonly used in corporate espionage, nation-state attacks, and high-value financial fraud.
Vishing (Voice Phishing)
Vishing uses phone calls rather than email to manipulate targets. An attacker calls posing as a bank fraud department, an IT help desk, a government tax authority, or a technology support representative. The combination of real-time conversation — which provides immediate social pressure and prevents reflection — and the apparent legitimacy of a phone call from a "professional" makes vishing highly effective even against security-aware individuals.
Smishing (SMS Phishing)
Smishing delivers social engineering payloads via SMS text messages. A message appearing to come from a parcel delivery company, a bank, or a government service directs the recipient to click a link or call a number. Mobile users are statistically more likely to click links in SMS messages than in emails, making smishing increasingly prevalent as mobile device use has grown.
Pretexting
Pretexting involves creating a fabricated scenario — a pretext — to extract information or gain access. An attacker might pose as a new employee who needs help accessing systems, a vendor requiring account verification, an auditor requesting financial records, or a journalist conducting research. Unlike phishing, pretexting typically involves extended interaction and a fully constructed false identity rather than a single deceptive message.
Baiting
Baiting exploits curiosity or greed by leaving something enticing for the target to discover. The classic example is leaving USB drives labelled "Salary Information Q1 2026" or "Executive Bonuses" in a company car park or reception area. A significant percentage of people who find such drives will plug them into a work computer out of curiosity — at which point malware installs automatically. Digital baiting uses enticing download links, pirated software, or fake prize notifications to achieve the same effect.
Tailgating and Piggybacking
These are physical social engineering techniques where an attacker gains access to a restricted physical space by following an authorised person through a secured door. Tailgating involves following without the person's knowledge; piggybacking involves convincing them to hold the door — typically by appearing to carry something, presenting false urgency, or simply being friendly and conversational. Both bypass physical security controls entirely.
Quid Pro Quo
Quid pro quo attacks offer something in exchange for information. An attacker posing as IT support might call employees at random offering to help them with a technical issue — and in the process of "helping," request their login credentials to perform the fix. The reciprocity principle makes targets willing to provide sensitive information in exchange for perceived assistance.
Watering Hole Attacks
Rather than targeting individuals directly, a watering hole attack compromises a website that the target is known to visit frequently — an industry forum, a trade publication, a supplier's portal. When the target visits the compromised site, malware is delivered silently. These attacks are used primarily by sophisticated threat actors targeting specific organisations or industries.
Real-World Social Engineering Examples
Understanding social engineering in the abstract is useful. Understanding it through real documented cases is transformative — it makes the threat concrete and demonstrates just how sophisticated and damaging these attacks can be.
The Twitter Bitcoin Scam (2020)
In July 2020, attackers compromised the Twitter accounts of Barack Obama, Joe Biden, Elon Musk, Apple, Uber, and dozens of other high-profile accounts simultaneously, posting bitcoin scam messages that generated over $100,000 in fraudulent transfers within hours. The attack did not involve any technical exploit of Twitter's systems. It was executed entirely through social engineering — specifically vishing calls to Twitter employees posing as IT staff, convincing them to reset credentials and provide access to internal admin tools. The entire operation was carried out by a group of teenagers with no advanced technical skills.
The RSA SecurID Breach (2011)
RSA Security, one of the world's most respected cybersecurity companies, suffered a significant breach when an employee opened a phishing email with the subject line "2011 Recruitment Plan." The attached spreadsheet contained an embedded exploit that installed a remote access tool on the employee's machine, eventually giving attackers access to data related to RSA's SecurID two-factor authentication tokens — which were subsequently used in attacks against defence contractors. The entire breach originated from a single employee opening a single email.
The Sony Pictures Hack (2014)
The attack on Sony Pictures, which resulted in the release of confidential employee data, unreleased films, and embarrassing executive emails, began with targeted spear phishing emails sent to Sony employees. The emails were carefully crafted using publicly available information about Sony's operations and personnel, and delivered malware that gave attackers persistent access to Sony's internal network for an extended period before the breach was detected.
Everyday Vishing: The Bank Impersonator
On a smaller but vastly more common scale, vishing attacks targeting individuals happen millions of times every year. A typical attack involves a call from someone claiming to be from the victim's bank fraud team, referencing the victim's name and partial account details gathered from data breaches or social media. The caller creates urgency by claiming suspicious transactions are occurring and requests the victim verify their full account number, PIN, or one-time password. Victims who comply provide attackers with everything needed to drain their accounts.
USB Baiting in Practice
A study conducted by researchers at the University of Illinois found that when 297 USB drives were dropped across a university campus, 45% were plugged into computers by people who found them — and many of those individuals clicked on files they found on the drives. This experiment demonstrated the effectiveness of baiting in a controlled academic environment; in a corporate setting where a targeted attacker has placed drives near a specific company's entrance, the results can be far more damaging.
| Attack Type | Primary Channel | Main Psychological Trigger | Typical Target | Skill Level Required |
|---|---|---|---|---|
| Phishing | Authority + Urgency | Mass / General | Low | |
| Spear Phishing | Trust + Familiarity | Specific Individual | Medium–High | |
| Vishing | Phone | Authority + Urgency | Individuals / Employees | Medium |
| Smishing | SMS | Urgency + Curiosity | Mobile Users | Low |
| Pretexting | Multiple | Trust + Reciprocity | Organisations | High |
| Baiting | Physical / Digital | Curiosity + Greed | Employees | Low |
| Tailgating | Physical | Politeness + Authority | Secure Facilities | Low–Medium |
How to Protect Yourself and Your Organisation
The fundamental challenge of defending against social engineering is that it exploits human nature rather than software vulnerabilities — and you cannot patch human beings the way you patch software. Effective defence requires a combination of education, procedural controls, and a healthy default scepticism about unexpected requests.
For Individuals
Verify independently before acting. If you receive a call, email, or message from someone claiming to represent your bank, employer, or any institution and requesting sensitive information or urgent action, hang up and call the organisation back using a number you have obtained independently — from their official website, the back of your card, or a known contact. Never use contact details provided in the suspicious communication itself.
Slow down when you feel rushed. Urgency is a manipulation tool. Any legitimate organisation will give you time to verify a request. If you are being pressured to act immediately, treat that pressure itself as a warning sign rather than a reason to comply.
Manage your digital footprint. Attackers use publicly available information to build convincing pretexts. Review your social media privacy settings, be cautious about what professional details you publish publicly on platforms like LinkedIn, and be aware that information you consider innocuous — your employer, your job title, your colleagues' names — is exactly what spear phishers use to craft targeted attacks.
Use multi-factor authentication everywhere. Even if a social engineer successfully obtains your password, MFA provides an additional layer that prevents immediate account access. Use an authenticator app rather than SMS-based codes where possible, as SIM-swapping attacks can compromise SMS-based MFA.
For Organisations
Security awareness training is non-negotiable. Regular, practical training that includes simulated phishing campaigns — sending fake phishing emails to employees and measuring click rates — is the single most effective organisational defence against social engineering. Employees who have been through realistic simulations respond significantly better to real attacks than those who have only received theoretical instruction.
Establish clear verification procedures. Create and communicate explicit protocols for handling requests involving sensitive information, fund transfers, or system access — especially requests received via email or phone. A simple rule such as "any request to transfer funds above £500 requires verbal confirmation from the requestor's known phone number" eliminates entire categories of fraud.
Build a culture where questioning is welcomed. Many social engineering attacks succeed because employees feel they cannot question a request from someone claiming to be in authority without appearing rude or incompetent. An organisation where employees are explicitly encouraged and rewarded for questioning unusual requests — regardless of the apparent seniority of the requestor — is significantly more resistant to social engineering than one where deference to authority is the default.
How to Spot a Social Engineering Attack in Progress
Recognising the warning signs of a social engineering attack in real time is a learnable skill. The following red flags, individually or in combination, should trigger immediate scepticism about any interaction.
- Unsolicited contact requesting sensitive information. Legitimate organisations do not cold-call or cold-email requesting passwords, PINs, full account numbers, or one-time codes. If contact is unexpected and the first thing requested is sensitive information, treat it as suspicious.
- Excessive urgency or threats of consequences. "Your account will be suspended," "you will be arrested," "this must be done in the next 30 minutes" — these are manufactured pressure tactics designed to prevent careful thinking.
- Requests to bypass normal procedures. "Don't go through the usual IT helpdesk, just send me your password directly" or "we need to keep this between us" are requests to circumvent the controls that exist precisely to prevent this kind of attack.
- Emotional manipulation. Attacks that create fear, excitement, sympathy, or guilt are attempting to engage your emotional rather than rational response. Significant emotional charge in an unexpected communication is a warning sign.
- Something too good to be true. Unexpected prizes, refunds, job offers, or opportunities that require you to act quickly or provide personal details to claim them are classic bait.
- Inconsistencies in the story. Slight inconsistencies in an attacker's cover story — details that do not quite match, an inability to answer verification questions, an email address that is almost but not quite correct — often betray a pretext under pressure.
- Requests for unusual payment methods. Requests to pay using gift cards, cryptocurrency, wire transfers to unfamiliar accounts, or any method that is difficult to reverse are almost universally associated with fraud.
Security researchers recommend treating any interaction that triggers more than one of these flags as a confirmed attack until proven otherwise, rather than giving the benefit of the doubt. The cost of incorrectly treating a legitimate contact as suspicious is minor; the cost of incorrectly treating a social engineering attack as legitimate can be catastrophic. For further reading on the tools attackers use once they have gained initial access, our Metasploit for Beginners guide and complete Nmap guide cover the technical side of what follows a successful social engineering compromise.
Common Mistakes That Make You an Easy Target
Oversharing on social media and professional platforms. Your LinkedIn profile, your Twitter posts, your Instagram stories — attackers read all of it. Your job title, your employer, your colleagues' names, your recent projects, the conferences you attended, the tools your company uses — every piece of information narrows the pretext an attacker needs to construct to appear legitimate. This does not mean you should delete your online presence, but it does mean being deliberate about what you make publicly visible.
Assuming security is IT's problem. Social engineering works specifically because it bypasses technical security controls. An employee who believes that cybersecurity is handled by the IT department and therefore requires no personal vigilance is an ideal target. Security is a behaviour, not a system — and it requires active participation from every person in an organisation.
Reusing passwords across accounts. When a social engineer obtains one credential — whether through phishing, pretexting, or a data breach — password reuse allows that single compromised credential to unlock multiple accounts. A password manager that generates and stores unique passwords for every account eliminates this risk entirely.
Trusting caller ID and email sender addresses. Both are trivially easy to spoof. An attacker can make their call appear to come from your bank's official number and send an email that displays your CEO's exact email address in the From field. Neither is reliable verification of identity. The only reliable verification is a callback to a independently confirmed number.
Not reporting suspicious contact. Many people who receive a suspicious call or email and correctly identify it as an attack never report it — either because they feel embarrassed, because they do not know who to report it to, or because they assume someone else will. Unreported attacks give organisations no data about what is being attempted and leave colleagues vulnerable. Every suspicious contact should be reported to IT or security teams regardless of whether it succeeded.
Frequently Asked Questions
Is social engineering always carried out remotely?
No. While most social engineering attacks occur via email, phone, or SMS, a significant subset involves physical presence — tailgating into secured buildings, posing as delivery personnel or maintenance contractors, or leaving baited USB drives in public areas. Physical social engineering is often more effective than digital variants because people are less trained to be suspicious of face-to-face interactions than digital communications, and social norms around politeness make it psychologically harder to challenge someone standing in front of you.
Can technical people be socially engineered?
Yes, and they are often targeted specifically because of their access privileges. Technical staff — IT administrators, developers, security professionals — have elevated access to systems and are therefore higher-value targets. Research consistently shows that technical expertise does not provide significant protection against well-executed social engineering, partly because technical people may be overconfident in their ability to identify attacks and partly because the psychological principles being exploited are universal regardless of technical knowledge.
What is the difference between social engineering and phishing?
Phishing is one specific type of social engineering — the type delivered via fraudulent email. Social engineering is the broader category that encompasses all manipulation-based attacks regardless of channel, including phone calls (vishing), SMS (smishing), physical manipulation (tailgating, baiting), and extended impersonation campaigns (pretexting). All phishing is social engineering, but not all social engineering is phishing.
How do organisations test their employees' resilience to social engineering?
Organisations typically conduct simulated phishing campaigns — sending fake phishing emails to employees and tracking who clicks links, submits credentials, or reports the email. More advanced programmes include simulated vishing calls and physical penetration testing exercises where authorised testers attempt to tailgate into buildings or leave baited devices. The results are used to identify training gaps and measure improvement over time. Employees who fail simulations receive targeted training rather than punishment, creating a learning culture rather than a blame culture.
Is social engineering illegal?
When conducted without authorisation against real targets, social engineering is illegal under computer fraud and abuse laws in most jurisdictions, as well as potentially under fraud, identity theft, and wire fraud statutes depending on the specific actions taken. The same techniques are entirely legal when conducted by authorised penetration testers as part of a contracted security assessment — the key distinction, as with all ethical hacking, is explicit written authorisation from the target organisation. Our guide to making money as an ethical hacker covers how authorised social engineering testing fits into professional security assessments.
Conclusion
Social engineering is the most consistently effective attack technique in a cybercriminal's arsenal precisely because it targets something that cannot be patched, updated, or replaced — human psychology. The six principles of influence, the four phases of an attack, the eight distinct attack types covered in this guide — all of them work because they exploit the same mental shortcuts and social instincts that are, in most contexts, genuinely useful to us.
The defence is not paranoia. It is awareness, slow deliberate thinking in high-pressure situations, healthy scepticism about unexpected requests, and the organisational culture that makes it safe to question and verify rather than comply and trust. Understanding how these attacks work is the first and most important step toward not falling victim to them.
Social engineering is also the entry point that precedes most of the technical attacks covered elsewhere on Verxio — the phishing email that delivers malware, the vishing call that harvests credentials, the tailgating that provides physical access to a network. Understanding the human layer of security is the foundation on which all technical security knowledge builds.
Share this guide with someone who could benefit from understanding how these attacks work, bookmark it as a reference, and explore the rest of Verxio for comprehensive coverage of ethical hacking, Python, and cybersecurity from the ground up.
