Social engineering in cybersecurity is the art of manipulating people to gain unauthorized access to buildings, systems, or data. Unlike traditional hacking, which targets technical vulnerabilities, social engineering exploits human psychology – the organic layer of your defenses.
Humans naturally want to help others, especially in professional roles like receptionists or help desk workers. Threat actors leverage this goodwill, often bending rules or bypassing protocols to achieve their goals. They may exploit empathy, authority, or a desire to appear helpful, steering victims into actions that compromise security.
These attacks can be swift, such as a single phone call, or unfold gradually, building trust over time. The ultimate aim is to bypass or undermine your security measures.
Key Takeaways
- Social engineering exploits human behavior, such as trust and fear, to bypass security instead of relying on technical hacking.
- Attackers often use methods like phishing emails, impersonating employees, or tailgating to gain access to sensitive areas or information.
- Threat actors gather intelligence from public platforms like LinkedIn and social media to make their attacks more convincing.
- Training employees to recognize social engineering tactics and implementing strict security protocols reduce risks significantly.
- Building awareness and embedding security practices into everyday actions is the most effective way to prevent attacks.
So, how does social engineering work? It works by taking advantage of how people naturally think and act. Instead of hacking into systems directly, attackers “hack” humans by manipulating trust, emotions, or basic social norms to get what they want – whether that’s sensitive information, access to a building, or control of a system.
At its core, it’s about exploiting the tendencies we all have. Most people want to help others, follow rules, or avoid trouble. For example, an attacker might pretend to be from IT and convince someone to hand over their login details by creating a fake sense of urgency. Or they might play on sympathy, acting like they’re in a tough spot to get someone to bend the rules.
The tactics vary a lot. It could be a phishing email that looks like it’s from your bank, a phone call from someone pretending to be your boss, or even someone sneaking into a secure area by tailgating behind an employee. These tricks work because they seem normal or believable at the moment.
The key to staying safe is being aware of how social engineering works so you can recognize these tactics and think twice before reacting.
Social engineering comes in various forms.
Here are the main types of social engineering attacks:
Each method exploits trust, curiosity, or urgency to bypass security.
Social engineering attacks can involve phone conversations, email, or attending your premises in person. Quite often, a blend of these techniques is used to suit the needs of the attack.
Reconnaissance
Threat actors will do intelligence gathering on the target within the company. They monitor X (previously Twitter) and LinkedIn and look for information that gives them an edge. Social media is a two-edged sword. What you broadcast to the world can easily be turned against you.
- A threat actor may see that a senior staff member is going to be out of the office at a conference. This is the sort of information they can use. It gives the threat actor an “in.”
- They’ll ring and ask to speak to that person’s PA. Because they are talking about a genuine event, the PA has no reason to suspect the caller is fraudulent.
- If the threat actor has “spoofed” the calling line ID, making the call appear to originate from the genuine phone number for the event, the illusion is even more compelling.
- They will present a problem and ask for assistance to sort it out: “We have a record of his booking but no record of a deposit or payment. I’m going to be for the high jump if I can’t sort this out before I go off shift in the next ten minutes. I’m really hoping you can save my skin. Do you happen to have the details of the credit card the booking was made with so that I can look it up?”
Attacks by Phone
The simplest attacks are often the best, and technical support is a common target. Their job is to solve problems. Their working day is devoted to trying to satisfy the caller’s needs and to make problems disappear.
These are examples of successful social engineering attacks that are happening today.
Attacks in Person
Gaining physical access to your premises allows the threat actor the opportunity to perform a variety of actions that further compromise your security.
1. Reverse SSH Tunnels
Firewalls usually let traffic out of a network much easier than traffic can get in. Firewalls are border guards, and most of their attention is focused on what comes in over the border. Traffic going out is often a secondary concern.
- The threat actor can make devices out of inexpensive, single-board computers such as the Raspberry Pi that, once they are connected to a network, make an encrypted outgoing connection to the threat actor’s server. Typically a firewall isn’t configured to stop that.
- The threat actor then makes an encrypted connection back to the device he planted using the already-established connection from the Raspberry Pi. This gives him remote access to your network. It’s a technique called a reverse SSH tunnel.
These covert devices can be hidden inside old laptop power supplies or other innocuous devices and quickly plugged in behind equipment such as large printers.
Printers need mains power and a network point. Network points are usually provisioned in pairs, as are power points. The printer only needs one of each. Behind the printer are the connections the device needs and a nice hiding place.
2. USB Memory Sticks
The threat actor may simply pick up a laptop and walk out, or they may infect the network with malware from a USB memory stick:
- They may leave USB memory sticks seeded with malware near coffee machines, in restrooms, or on vacant desks. There’s usually a bunch of keys attached to the USB stick.
- When the USB stick is discovered, the question in the staff member’s mind is “Who has forgotten their keys?” not “Hmm – here’s an anonymous USB stick.”
- That slight shift in mental stance is important. Misplacing your keys is a big problem. The finder wants to get the keys returned to their owner. How can they find out? Maybe there is something on the memory stick that will identify the owner.
- There are files on the memory stick. They might look like a PDF or a Word document, but they are disguised malware. If they have eye-catching titles like “Redundancy Plans Phase 1,” it’ll be almost impossible for the staff member not to click on them.
- It is possible to auto-run programs as soon as USB drives are inserted, which means the staff member doesn’t even need to click on anything. But if auto-run is turned off – which it should be – having files with irresistible titles is a common fallback strategy.
A similar approach is for the threat actor to collect some promotional literature from a genuine business, such as a courier firm:
- They attach a USB memory stick to each one. The threat actor appears at reception and hands over three or four copies. They ask the receptionist if they wouldn’t mind passing these on to the person in charge of shipping.
- Almost certainly, the receptionist will put one aside for themselves, and as soon as the threat actor has left the building, they’ll try it on their computer.
3. Gaining Access to the Building
To get past reception, threat actors have posed as all manner of delivery persons. UPS, United States Postal Servants, flower deliveries, motorcycle couriers, pizza deliveries, and donut deliveries, to name a few. They have posed as pest control agents, construction workers, and elevator servicing engineers.
- Arriving to have a meeting with someone the threat actor knows is not in the office (thanks to X or LinkedIn) is surprisingly effective. Of course, it is someone senior.
- The receptionist tries to ring the staff member and says they’re not answering their phone. The threat actor says they expected that. They’ve been having a conversation by text, and the staff member said their previous meeting looks like it will overrun. “They suggested I wait in the canteen. They’ll come for me when they’re free. Could someone show me where it is, please?”
- In tailgating, the threat actor uses someone else’s valid entry to the building as a means of going through the same door. One trick is to wait at an external smoking point and strike up a conversation. The threat actor introduces themselves. They get the name of the person they’re talking to. What they want to happen is for other people to arrive at the smoking point while they’re already in conversation. They will wait until the first staff member goes back into the building. They’ll say goodbye to them and address them by name.
- The new arrivals won’t even question whether this person is a member of staff. He’s here at their smoking point, laughing and chatting to other members of staff and addressing them by name.
- The threat actor then chats to the new arrivals. They ask them if they know the person who has just left, and tells them he’s a nice guy.
- When the second wave of smokers returns to the building, the threat actor will accompany them. They let the staff members enter their code or use their fob or key.
- When the door opens, they will make a show of holding it open and gesturing for the real staff to enter. He then follows them in.
Here are some common social engineering examples that highlight how attackers exploit human behavior:
Attack type | Description |
---|---|
Impersonating new employees | An attacker pretends to be a new hire and contacts IT support to gain access to company systems. |
Fake tech support calls | An attacker poses as IT support and tricks employees into sharing login credentials. |
Malicious USB devices | Malware-infected USB drives are left in workplaces, tricking employees into plugging them in. |
Tailgating | An attacker gains access to restricted areas by following an authorized employee through a door. |
We’re dealing with people, so, needless to say, the defenses revolve around training, policies, and procedures.
Here’s how to prevent social engineering attacks:
- Role-playing and team rehearsals: Conduct team exercises and role-playing sessions with security professionals to prepare for social engineering attempts.
- Security firms and penetration testing: Hire security firms to simulate attacks and identify vulnerabilities. You may choose to combine this with a benign phishing campaign.
- USB device security: Disable auto-run for USB devices and never use unknown USB drives.
- Out-of-bound request policy: Create protocols for unusual or urgent requests to prevent rule-breaking under pressure.
- Network scans and new device identification: Perform network scans and identify and examine new devices that have been connected to the network.
- Login credential protection: Never share login details, even with IT staff. They won’t ask for passwords.
- Telephone call safety: Hang up and call back on official numbers if someone asks for sensitive information.
- Visitor escort policy: Always supervise visitors and restrict them to designated areas.
Fostering a security-minded culture in your business will pay dividends and is the foundation of a multi-layered security approach.
It’s Nothing New
Social engineering scams have been around as long as confidence tricksters have existed. There are techniques that work, so it was inevitable that they’d be picked up and used by the cyber threat actors.
They work on people’s admirable qualities, like their kindness and desire to assist, or their poorer qualities, like greed and fear.
The threat actor might want to:
- Obtain credit card or other financial details
- Get login credentials for a user account
- Install malware such as key loggers so that the victim’s keystrokes are sent to the threat actor’s server
- Install remote access software that lets the threat actors gain access to the victim’s computer
- Install ransomware to extort money from the business
- Gain physical access to your building to plant covert devices to manually install malware or steal hardware
In contrast with many cyberattacks, social engineering attacks are specifically targeted at their victims. This is in contrast to the “spray and pray” type of attacks, such as phishing attacks or port scanning.
The Bottom Line
So, what does social engineering mean? The goal of social engineering is simple: attackers want to exploit human behavior to get around security measures. Instead of hacking systems directly, they rely on tricks and manipulation to gain access to sensitive information, systems, or even physical spaces.
The best defense is awareness. Knowing the common tactics – like phishing emails, fake tech support calls, or tailgating – can help you spot a potential attack before it works. Regular training and clear policies also make a huge difference. When everyone knows what to look out for and how to handle suspicious situations, it’s much harder for attackers to succeed.
At the end of the day, building a culture where security is second nature can go a long way in keeping both individuals and organizations safe from social engineering threats.