What is Social Engineering?
Social engineering is the art of manipulating people into revealing confidential information or taking actions that undermine security. Attackers don't need to exploit technical vulnerabilities; they exploit human trust, helpfulness, and time pressure.
How does social engineering work?
A social engineering attack always starts with research. The attacker gathers information about the target: name, job title, colleagues, software used, and internal processes. This information is used to build a believable story, known as a pretext.
The attacker then makes contact via email, phone, SMS, or even in person, posing as someone with authority or presenting a request that seems urgent. The goal: get the employee to click, log in, transfer money, or grant access without realising anything is wrong.
Types of social engineering attacks
Phishing
The most common form: fake emails that look like messages from a bank, colleague, or well-known service, designed to steal credentials or trigger payments.
Pretexting
The attacker invents a believable scenario as an IT employee, accountant, or regulator, to gain access to information or systems.
Vishing
Voice phishing over the phone. The caller poses as a bank, government body, or helpdesk and asks for verification codes, passwords, or an urgent transfer.
Baiting
Leaving an infected USB drive in the car park, or offering a free download that contains malware. Curiosity is the vulnerability being exploited.
CEO fraud
The attacker poses as a director or manager and urgently asks an employee to make a transfer or send sensitive data.
Tailgating
Physical social engineering: the attacker follows an employee through a secured door without their own access pass.
Recognising warning signs
- Unexpected request from someone in authority with an "urgent" situation
- Pressure to act quickly, without time to verify
- Request for a password, MFA code, or payment via an alternative channel
- Unknown caller using internal information to build trust
- Email from a known organisation with a subtly different domain name
- An offer that seems too good to be true: free software, a prize, or exclusive access
Why are employees the weakest link?
Technical security measures such as firewalls, spam filters and endpoint protection protect against many threats, but cannot prevent an employee from entering credentials on a fake website or opening a file because it appears to come from a "trusted" sender.
Research shows: more than 80% of all successful cyberattacks include a social engineering component. The human factor remains the most reliable attack vector for criminals.
How do you protect your organisation?
Awareness is the strongest defence against social engineering. Employees who understand how attackers operate recognise manipulation techniques faster and are less likely to react impulsively to urgent requests.
The most effective way to build that awareness is a phishing simulation: a controlled, safe attack on your own organisation. Employees experience how an attack works and learn from it directly, without any real damage.