Social engineering is the manipulation of people into performing actions or disclosing information that compromises security. It targets the human factor rather than the technology, and remains the single most successful attack vector despite decades of technical progress in firewalls, encryption, and detection.
Why social engineering works
People are wired to trust, to defer to authority, to respond to time pressure, and to help. A well-crafted social-engineering attack exploits one or more of these reflexes in a context where the target has no reason to question what they are doing. The defender’s job is not to eliminate human nature; it is to design processes and controls that contain the damage when a human inevitably gets things wrong.
Common techniques
Phishing uses email to impersonate a trusted sender. The dominant vector by volume.
Spear phishing tailors the message to a specific individual using research, significantly raising the success rate.
Vishing is voice phishing, often involving an impersonated IT support call or bank fraud alert.
Smishing uses SMS, particularly effective on personal devices where corporate filtering does not apply.
Pretexting establishes a fabricated identity and back-story to extract information over multiple interactions. Common in business email compromise.
Baiting leaves something attractive (a USB stick, a download link, a free voucher) that the target acts on without questioning.
Tailgating follows an authorised person through a physical access control by social pressure (carrying a heavy box, looking distracted, holding a coffee).
Defences
Awareness training matters but is not a complete defence; users will fall for sophisticated attacks no matter how well-trained. Effective defence combines training with process and technical controls: out-of-band confirmation for high-value actions (payments, bank-detail changes), multi-factor authentication that resists phishing (FIDO2 hardware keys), clear easy reporting channels with feedback, and a no-blame culture that supports staff who report rather than hide a mistake.
In penetration testing
Social-engineering assessments are commissioned to measure how the organisation responds to realistic attack scenarios. They are scoped carefully, with executive authorisation, agreed scenarios, and clear rules to protect the people involved. The output is data that informs investment in technical controls, process design, and training programmes rather than a list to punish individuals.
Related terms
See also: phishing, penetration testing, and ethical hacker.
Leave a Reply