Social Engineering

Why Trust Techopedia

What Is Social Engineering?

Social engineering in cybersecurity is the art of manipulating people to gain unauthorized access to buildings, systems, or data. Unlike traditional hacking, which targets technical vulnerabilities, social engineering exploits human psychology – the organic layer of your defenses.

Advertisements

Humans naturally want to help others, especially in professional roles like receptionists or help desk workers. Threat actors leverage this goodwill, often bending rules or bypassing protocols to achieve their goals. They may exploit empathy, authority, or a desire to appear helpful, steering victims into actions that compromise security.

These attacks can be swift, such as a single phone call, or unfold gradually, building trust over time. The ultimate aim is to bypass or undermine your security measures.
What is Social Engineering? Definition, Functions & Examples

Key Takeaways

  • Social engineering exploits human behavior, such as trust and fear, to bypass security instead of relying on technical hacking.
  • Attackers often use methods like phishing emails, impersonating employees, or tailgating to gain access to sensitive areas or information.
  • Threat actors gather intelligence from public platforms like LinkedIn and social media to make their attacks more convincing.
  • Training employees to recognize social engineering tactics and implementing strict security protocols reduce risks significantly.
  • Building awareness and embedding security practices into everyday actions is the most effective way to prevent attacks.

How Social Engineering Works

So, how does social engineering work? It works by taking advantage of how people naturally think and act. Instead of hacking into systems directly, attackers “hack” humans by manipulating trust, emotions, or basic social norms to get what they want – whether that’s sensitive information, access to a building, or control of a system.

At its core, it’s about exploiting the tendencies we all have. Most people want to help others, follow rules, or avoid trouble. For example, an attacker might pretend to be from IT and convince someone to hand over their login details by creating a fake sense of urgency. Or they might play on sympathy, acting like they’re in a tough spot to get someone to bend the rules.

The tactics vary a lot. It could be a phishing email that looks like it’s from your bank, a phone call from someone pretending to be your boss, or even someone sneaking into a secure area by tailgating behind an employee. These tricks work because they seem normal or believable at the moment.

The key to staying safe is being aware of how social engineering works so you can recognize these tactics and think twice before reacting.

Social Engineering Types

Types of Social Engineering

Social engineering comes in various forms.

Here are the main types of social engineering attacks:

Phishing
Fraudulent emails trick victims into sharing sensitive information, such as passwords or credit card numbers.
Pretexting
Attackers create fake scenarios to extract personal data, like pretending to be a bank or IT staff.
Baiting
Victims are lured with enticing offers, such as free software, to download malware or reveal information.
Tailgating
Attackers gain physical access to secure areas by following someone through a door.

Each method exploits trust, curiosity, or urgency to bypass security.

How Threat Actors Use Social Engineering

Social engineering attacks can involve phone conversations, email, or attending your premises in person. Quite often, a blend of these techniques is used to suit the needs of the attack.

Reconnaissance

Threat actors will do intelligence gathering on the target within the company. They monitor X (previously Twitter) and LinkedIn and look for information that gives them an edge. Social media is a two-edged sword. What you broadcast to the world can easily be turned against you.

  1. A threat actor may see that a senior staff member is going to be out of the office at a conference. This is the sort of information they can use. It gives the threat actor an “in.”
  2. They’ll ring and ask to speak to that person’s PA. Because they are talking about a genuine event, the PA has no reason to suspect the caller is fraudulent.
  3. If the threat actor has “spoofed” the calling line ID, making the call appear to originate from the genuine phone number for the event, the illusion is even more compelling.
  4. They will present a problem and ask for assistance to sort it out: “We have a record of his booking but no record of a deposit or payment. I’m going to be for the high jump if I can’t sort this out before I go off shift in the next ten minutes. I’m really hoping you can save my skin. Do you happen to have the details of the credit card the booking was made with so that I can look it up?”

Attacks by Phone

The simplest attacks are often the best, and technical support is a common target. Their job is to solve problems. Their working day is devoted to trying to satisfy the caller’s needs and to make problems disappear.

Impersonating a new employee
  • Companies often make posts like this on LinkedIn or Twitter. “Welcome to the newest member of the company, Mr. New Person. He’ll be joining the XYZ team, etc.
  • A threat actor can ring your tech support team out of hours and pretend he is that person. They’ll tell them he’s just started working there – yeah, I’m in the XYZ team – but can’t access the office systems from his home.
  • This scenario often works because new employees often have teething problems. They’re not expected to know their way around the systems yet, nor will it be suspicious if they can’t answer a question they may be asked. And because it is out of hours, there’s no one to cross-reference or check with.
  • Typically the threat actor will work the conversation round to the point where the easiest thing for the tech support guys to do is perform a password reset and give the caller his new password.
Involving tech support in something sensitive
  • Another ruse is to ring tech support and pretend to be someone from the HR Internal Investigations team, acting on a matter of sensitivity and requiring the utmost discretion. They’ll mention a real person in the business so senior that the tech support engineer has definitely heard of them.
  • “They’re under investigation, I can’t tell you why, obviously, but we need their account locked right away and a new password set on it so that external auditors can get in, but he can’t. This is the password to use…”
  • Of course, the threat actor has simply picked a name from the Meet the Team page of the website. This ploy works by making the person being duped feel like they are part of something important, secret, and “big.”
Building a back story for a malicious attachment
  • An equally simple ploy is to ring tech support and go through the motions of describing a problem with the threat actor’s email. No matter what they try, the issue remains.
  • The threat actor will offer to send a screenshot or a log file to the support engineer from their personal email, which of course, is still working.
  • Primed and waiting for the email, as soon as the support engineer receives it, he opens the malicious attachment immediately. The threat actor has successfully installed malware on the network.
Impersonating tech support
  • One technique is to ring reception. They ask for a name they’ve picked from LinkedIn or elsewhere. When they get through to them, they explain they are tech support, or from the remote data center, or something similar.
  • “You seem to be gobbling up hard drive space on the server, are you copying a lot of data or something?”
  • Of course, the person says no, they’re not. After some more questions and frantic typing by the tech support engineer, they conclude that the staff member’s account had been compromised. It looks like someone is stockpiling company data, ready to copy it out of the network. Sounding increasingly excited, he gets them to log out and back in again. “No, nothing has changed. It’s still going on.”
  • The tech support guy, audibly straining to stay calm, tells the staff member he’s going to forcibly kill all processes for that account.
  • “If I do that, though, I’ll have to log you back in, you won’t be able to do it. What is your username? OK, thanks. And what is your current password? Got it, OK, log out now.”
  • After a short pause, the support engineer says, “That’s great, I’ve stopped it. Actually, you can log back in and carry on as normal, I didn’t need to wipe your account after all.” They’ll be very grateful and thank the staff member for their help. They should be grateful. They’ve now got an account they can use to access your network.

These are examples of successful social engineering attacks that are happening today.

Attacks in Person

Gaining physical access to your premises allows the threat actor the opportunity to perform a variety of actions that further compromise your security.

1. Reverse SSH Tunnels

Firewalls usually let traffic out of a network much easier than traffic can get in. Firewalls are border guards, and most of their attention is focused on what comes in over the border. Traffic going out is often a secondary concern.

  1. The threat actor can make devices out of inexpensive, single-board computers such as the Raspberry Pi that, once they are connected to a network, make an encrypted outgoing connection to the threat actor’s server. Typically a firewall isn’t configured to stop that.
  2. The threat actor then makes an encrypted connection back to the device he planted using the already-established connection from the Raspberry Pi. This gives him remote access to your network. It’s a technique called a reverse SSH tunnel.

These covert devices can be hidden inside old laptop power supplies or other innocuous devices and quickly plugged in behind equipment such as large printers.

Printers need mains power and a network point. Network points are usually provisioned in pairs, as are power points. The printer only needs one of each. Behind the printer are the connections the device needs and a nice hiding place.

2. USB Memory Sticks

The threat actor may simply pick up a laptop and walk out, or they may infect the network with malware from a USB memory stick:

  • They may leave USB memory sticks seeded with malware near coffee machines, in restrooms, or on vacant desks. There’s usually a bunch of keys attached to the USB stick.
  • When the USB stick is discovered, the question in the staff member’s mind is “Who has forgotten their keys?” not “Hmm – here’s an anonymous USB stick.”
  • That slight shift in mental stance is important. Misplacing your keys is a big problem. The finder wants to get the keys returned to their owner. How can they find out? Maybe there is something on the memory stick that will identify the owner.
  • There are files on the memory stick. They might look like a PDF or a Word document, but they are disguised malware. If they have eye-catching titles like “Redundancy Plans Phase 1,” it’ll be almost impossible for the staff member not to click on them.
  • It is possible to auto-run programs as soon as USB drives are inserted, which means the staff member doesn’t even need to click on anything. But if auto-run is turned off – which it should be – having files with irresistible titles is a common fallback strategy.

A similar approach is for the threat actor to collect some promotional literature from a genuine business, such as a courier firm:

  • They attach a USB memory stick to each one. The threat actor appears at reception and hands over three or four copies. They ask the receptionist if they wouldn’t mind passing these on to the person in charge of shipping.
  • Almost certainly, the receptionist will put one aside for themselves, and as soon as the threat actor has left the building, they’ll try it on their computer.

3. Gaining Access to the Building

To get past reception, threat actors have posed as all manner of delivery persons. UPS, United States Postal Servants, flower deliveries, motorcycle couriers, pizza deliveries, and donut deliveries, to name a few. They have posed as pest control agents, construction workers, and elevator servicing engineers.

  • Arriving to have a meeting with someone the threat actor knows is not in the office (thanks to X or LinkedIn) is surprisingly effective. Of course, it is someone senior.
  • The receptionist tries to ring the staff member and says they’re not answering their phone. The threat actor says they expected that. They’ve been having a conversation by text, and the staff member said their previous meeting looks like it will overrun. “They suggested I wait in the canteen. They’ll come for me when they’re free. Could someone show me where it is, please?”
  • In tailgating, the threat actor uses someone else’s valid entry to the building as a means of going through the same door. One trick is to wait at an external smoking point and strike up a conversation. The threat actor introduces themselves. They get the name of the person they’re talking to. What they want to happen is for other people to arrive at the smoking point while they’re already in conversation. They will wait until the first staff member goes back into the building. They’ll say goodbye to them and address them by name.
  • The new arrivals won’t even question whether this person is a member of staff. He’s here at their smoking point, laughing and chatting to other members of staff and addressing them by name.
  • The threat actor then chats to the new arrivals. They ask them if they know the person who has just left, and tells them he’s a nice guy.
  • When the second wave of smokers returns to the building, the threat actor will accompany them. They let the staff members enter their code or use their fob or key.
  • When the door opens, they will make a show of holding it open and gesturing for the real staff to enter. He then follows them in.

Examples of Social Engineering Attacks

Here are some common social engineering examples that highlight how attackers exploit human behavior:

Attack type Description
Impersonating new employees An attacker pretends to be a new hire and contacts IT support to gain access to company systems.
Fake tech support calls An attacker poses as IT support and tricks employees into sharing login credentials.
Malicious USB devices Malware-infected USB drives are left in workplaces, tricking employees into plugging them in.
Tailgating An attacker gains access to restricted areas by following an authorized employee through a door.

How to Protect Against Social Engineering Attacks

8 Tips How to Protect Against Social Engineering Attacks

We’re dealing with people, so, needless to say, the defenses revolve around training, policies, and procedures.

Here’s how to prevent social engineering attacks:

  • Role-playing and team rehearsals: Conduct team exercises and role-playing sessions with security professionals to prepare for social engineering attempts.
  • Security firms and penetration testing: Hire security firms to simulate attacks and identify vulnerabilities. You may choose to combine this with a benign phishing campaign.
  • USB device security: Disable auto-run for USB devices and never use unknown USB drives.
  • Out-of-bound request policy: Create protocols for unusual or urgent requests to prevent rule-breaking under pressure.
  • Network scans and new device identification: Perform network scans and identify and examine new devices that have been connected to the network.
  • Login credential protection: Never share login details, even with IT staff. They won’t ask for passwords.
  • Telephone call safety: Hang up and call back on official numbers if someone asks for sensitive information.
  • Visitor escort policy: Always supervise visitors and restrict them to designated areas.

Fostering a security-minded culture in your business will pay dividends and is the foundation of a multi-layered security approach.

It’s Nothing New

Social engineering scams have been around as long as confidence tricksters have existed. There are techniques that work, so it was inevitable that they’d be picked up and used by the cyber threat actors.

They work on people’s admirable qualities, like their kindness and desire to assist, or their poorer qualities, like greed and fear.

The threat actor might want to:

In contrast with many cyberattacks, social engineering attacks are specifically targeted at their victims. This is in contrast to the “spray and pray” type of attacks, such as phishing attacks or port scanning.

The Bottom Line

So, what does social engineering mean? The goal of social engineering is simple: attackers want to exploit human behavior to get around security measures. Instead of hacking systems directly, they rely on tricks and manipulation to gain access to sensitive information, systems, or even physical spaces.

The best defense is awareness. Knowing the common tactics – like phishing emails, fake tech support calls, or tailgating – can help you spot a potential attack before it works. Regular training and clear policies also make a huge difference. When everyone knows what to look out for and how to handle suspicious situations, it’s much harder for attackers to succeed.

At the end of the day, building a culture where security is second nature can go a long way in keeping both individuals and organizations safe from social engineering threats.

FAQs

What is social engineering in simple terms?

What is an example of social engineering?

What is social engineering skill?

What are the four types of social engineering?

What is the difference between phishing and social engineering?

Advertisements

Related Terms

Marshall Gunnell
IT & Cybersecurity Expert
Marshall Gunnell
IT & Cybersecurity Expert

Marshall, a Mississippi native, is a dedicated IT and cybersecurity expert with over a decade of experience. Along with Techopedia, his articles can be found on Business Insider, PCWorld, VGKAMI, How-To Geek, and Zapier. His articles have reached a massive audience of over 100 million people. Marshall previously served as the Chief Marketing Officer (CMO) and technical staff writer at StorageReview, providing comprehensive news coverage and detailed product reviews on storage arrays, hard drives, SSDs, and more. He also developed sales strategies based on regional and global market research to identify and create new project initiatives. Currently, Marshall resides in…