Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.

Social Engineering

Overview

Social engineering is the art of tricking people into doing something that helps an attacker, such as sharing information, clicking a link, running a program, or letting someone into a building. Instead of “hacking” computers directly, social engineers hack human trust, habits, and emotions.

In plain terms: social engineering is when someone lies or manipulates you so you unknowingly make their attack succeed.

What Social Engineering Looks Like

Social engineering can appear in many forms, including:

  • Digital messages

    • Phishing emails, smishing texts, vishing phone calls, social media messages, or fake support chats.

  • In‑person interactions

    • Someone at the front desk claiming to be a repair technician, delivery driver, or new employee who needs access.

  • Pretexting (made‑up stories)

    • The attacker uses a believable scenario (“I’m from IT,” “I’m your vendor,” “I’m with the bank”) to justify unusual requests.

  • Quid pro quo

    • “Do this for me and I’ll do something for you”—for example, promising tech help, discounts, or rewards in exchange for information or access.

Common Goals of Social Engineering

Social engineers are usually trying to:

  • Steal information

    • Passwords, one‑time codes, personal data, financial details, company secrets, or customer records.

  • Gain access

    • Logins to email or systems, remote access to devices, or physical access to offices, server rooms, or locked areas.

  • Bypass technical defenses

    • Instead of attacking firewalls or encryption, they convince a person to simply open the door (literally or digitally).

Typical Social Engineering Techniques

  1. Phishing (email)

    • Fake emails that look like they’re from banks, services, or coworkers, asking you to click, open, or log in.

  2. Smishing and vishing (text and voice)

    • Scam texts and phone calls that impersonate trusted organizations, pushing you to act quickly or share information.

  3. Impersonation and pretexting

    • Someone claims to be IT, HR, a vendor, a new staff member, or even a government official to justify why they need access or information.

  4. Tailgating / piggybacking

    • Following someone through a locked door by asking them to “hold it open,” bypassing badge checks.

  5. Baiting

    • Leaving infected USB drives, QR codes, or tempting links around, hoping someone will use them out of curiosity.

  6. Quid pro quo

    • Offering something (support, gift cards, discounts) in exchange for access or data.

Why Social Engineering Works

Social engineering succeeds because it targets human nature:

  • Trust and helpfulness

    • People want to be polite, helpful, and cooperative—especially at work.

  • Authority and fear

    • Many people hesitate to question someone who claims to be a manager, IT, law enforcement, or a major vendor.

  • Urgency and pressure

    • Attackers create time pressure so victims act first and think later.

  • Curiosity and greed

    • Promises of rewards, prizes, or insider information can override caution.

  • Routine and distraction

    • When people are busy or multitasking, it’s easy to miss red flags.

Business Impact

A single successful social engineering attempt can:

  • Lead to account compromise, allowing attackers into email, cloud services, or internal applications.

  • Enable malware or ransomware infections if someone opens a malicious file or installs “support” software.

  • Cause data breaches, exposing customer, patient, or employee information.

  • Result in financial losses, such as fraudulent transfers or invoice changes.

  • Damage reputation and trust, especially if clients or partners are also affected.

Red Flags to Watch For

Take extra care when you see any of these:

  • Unexpected requests for passwords, one‑time codes, or sensitive data.

  • Messages or calls that feel urgent, threatening, or overly emotional.

  • Requests to bypass normal processes (“Just do this quickly—don’t tell anyone” or “We’ll fix the paperwork later”).

  • People who refuse to provide verifiable identification but still ask for access or information.

  • Offers that sound too good to be true (easy money, huge discounts, secret deals).

Key Prevention Tips (Plain‑Language)

For individuals and staff:

  1. Slow down when something feels urgent or emotional

    • Urgency is a tool; taking a moment to think can break the scam.

  2. Verify using a trusted channel

    • If someone claims to be from your bank, IT, HR, or a vendor, contact them back using official contact information—not what’s in the message or call.

  3. Follow “need‑to‑know” and “least‑privilege” thinking

    • Only share information or grant access when it clearly matches the person’s role and the business need.

  4. Never share passwords or full one‑time codes

    • Legitimate organizations do not need your password. Multi‑factor codes should never be read out to someone who calls you.

  5. Protect physical access

    • Don’t let unknown people tailgate through secure doors. Politely direct visitors to sign‑in procedures or reception.

  6. Use company processes

    • Follow established procedures for approvals, payments, and access requests—even if someone senior pressures you to skip them.

What Organizations Should Do

To reduce social engineering risk, organizations should:

  • Provide regular training with realistic examples and short refreshers.

  • Make it easy and safe to report suspicious emails, calls, visitors, or requests.

  • Clearly document and communicate what IT, HR, finance, and other departments will and will not ask for.

  • Enforce technical controls (MFA, role‑based access, logging) that limit the damage from a single mistake.

  • Conduct controlled simulated attacks (phishing tests, social‑engineering exercises) to measure and improve readiness.

What To Do If You Think You’ve Been Socially Engineered

If you suspect you shared something or allowed access you shouldn’t have:

  1. Don’t panic—but act quickly.

  2. Report it immediately to your IT/security team or manager; early reporting greatly reduces damage.

  3. Change affected passwords and enable or review multi‑factor authentication.

  4. Provide all details you remember (what was asked, what you did, any links, phone numbers, or names used).

  5. Cooperate with any follow‑up checks, such as device scans, access reviews, or customer notifications.