Social Engineering
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information, exploiting human trust and behavior rather than technical vulnerabilities.
Social engineering is a category of cyberattack that targets the human element rather than technical systems. Attackers use psychological manipulation techniques to trick individuals into revealing sensitive information, granting access to secure systems, transferring funds, or performing other actions that compromise security. Social engineering is consistently one of the most effective attack vectors because it exploits fundamental human traits such as trust, helpfulness, curiosity, fear, and urgency.
Common social engineering techniques include phishing (fraudulent emails or messages), vishing (voice-based phishing over the phone), smishing (SMS-based phishing), pretexting (creating a fabricated scenario to gain trust), baiting (leaving infected media for someone to find), tailgating (following authorized personnel into secure areas), and quid pro quo attacks (offering something in exchange for information). Spear phishing targets specific individuals with personalized messages, while whaling targets senior executives.
Advanced social engineering attacks often combine multiple techniques and extensive research about the target. Attackers may study social media profiles, corporate websites, and public records to craft convincing pretexts. Business email compromise (BEC) attacks, which use impersonation of executives or trusted partners to authorize fraudulent transactions, have caused billions of dollars in losses worldwide.
Defending against social engineering requires a multi-layered approach that combines technical controls with human awareness. Security awareness training teaches employees to recognize and report social engineering attempts. Simulated phishing campaigns test and reinforce training. Technical controls such as email filtering, multi-factor authentication, and URL reputation checking provide additional layers of protection. Establishing clear procedures for verifying requests, especially those involving financial transactions or sensitive data, helps prevent successful attacks.