Social engineering attacks manipulate people rather than machines. Instead of exploiting a software bug, the attacker exploits trust, urgency, fear, or authority to convince a victim to hand over credentials, transfer money, or grant access.
Common Social Engineering Techniques
| Technique | How It Works | Example |
|---|---|---|
| Phishing | Fake email impersonating a trusted brand | "Your account has been suspended — click to verify" |
| Spear phishing | Targeted phishing using personal details | Email using your real name, boss's name, and job title |
| Vishing | Voice phishing over the phone | Caller pretends to be bank fraud department |
| Smishing | SMS-based phishing | Text: "Your parcel is held — pay fee here" |
| Pretexting | Fabricated scenario to extract information | Posing as IT support to get your login credentials |
| Baiting | Leaves infected USB drives or uses fake downloads | USB labelled "Payroll 2025" left in a car park |
| Quid pro quo | Offers help in exchange for access | Fake IT helpdesk calls offering to fix a fake problem |
Why Social Engineering Works
Attackers exploit well-documented psychological principles:
- Authority — People comply with those who appear to be in charge
- Urgency — Time pressure short-circuits critical thinking
- Scarcity — Fear of missing out drives rushed decisions
- Familiarity — People trust those who seem to know them
- Social proof — People follow what they believe others do
How to Protect Yourself
- Verify unexpected requests through a separate, known channel before acting
- Never give credentials to anyone over the phone or email — legitimate IT never asks
- Enable multi-factor authentication so stolen passwords alone are not enough
- Take time before clicking — urgency is a red flag, not a reason to rush
- Train regularly — awareness is the strongest defence against social engineering
People Also Ask
- What is the most common social engineering attack?
- Phishing is by far the most common. The Anti-Phishing Working Group reported over a million phishing attacks per quarter in 2023. Most begin with a convincing-looking email that mimics a trusted brand.
- How can I tell if an email is a phishing attempt?
- Check the sender's actual email address (not just the display name), hover over links before clicking, look for spelling errors and generic greetings like "Dear Customer," and be suspicious of any email creating urgency around account access or payments.
Related: Data breach | Two-factor authentication | Breach Check