2. Knowledge base
  3. Cybersecurity Glossary
  4. What is social engineering?

What is social engineering?

Last updated: 2025-09-17
See our solution:
Employee & HR Management
Was this article helpful?
1 of total 1 found this helpful.

Social engineering means manipulating people to do something they shouldn’t. It’s a term mostly used in security and cybersecurity. It covers tactics that trick people into giving up access to information, systems, or resources an attacker should not have. Instead of breaking technical controls (passwords, firewalls, etc.), attackers target the weakest link — people. Common examples include phishing emails, impersonating a coworker or IT support, pushy phone calls, or exploiting trust. It’s not a technical hack but “engineering human behavior” — exploiting people the way a hacker exploits software vulnerabilities.

What are the most common social engineering techniques and how can US small and mid-sized businesses defend against them?

Phishing (email, SMS)

  • What it is: Fake messages (email, SMS/text) pretending to be from trusted sources (bank, coworker, IT) to steal logins, personal data, or make you take an action (click a link, download an attachment).
  • Example: Email “IT: You must reset your password — click this link.”
  • How to spot it: unexpected urgency, grammar/spelling mistakes, links pointing to domains that aren’t the official one, generic greeting.
  • Protection: turn on multi-factor authentication (MFA), employee security awareness training, email filtering, verify sender and URLs (hover to preview), never send passwords by email.

Spear phishing (targeted phishing)

  • What it is: Phishing that’s personalized — the attacker uses info about a specific person (LinkedIn, company website) to make it more convincing.
  • Example: Email from the “CEO” requesting an urgent payment.
  • How to spot it: very specific details, requests outside normal procedures.
  • Protection: verify requests via a separate channel (phone), enforce payment approval workflows, least-privilege access for initiating payments.

Pretexting

  • What it is: The attacker creates a fake story/identity (e.g., vendor, auditor, coworker from another location) to gain trust and request information or access.
  • Example: A caller claims to be an “inspector” asking for employee data.
  • How to spot it: requests for sensitive data without a clear business need, pressure to act quickly.
  • Protection: verify caller identity, apply a “minimum necessary” data policy, documented processes for data requests, route through the internal help desk.

Baiting

  • What it is: The attacker offers something tempting (e.g., a USB with a “report”) — when the victim takes the bait, the device or file infects the system.
  • Example: A “payroll data” USB found in the parking lot; an employee plugs it into a PC.
  • How to spot it: unknown media or files, “too good to be true” offers.
  • Protection: block use of unknown USBs, disable autorun, use antivirus/EDR, ongoing training.

Tailgating / Piggybacking (physical access)

  • What it is: An unauthorized person enters a secured area by following an employee through a door.
  • Example: Someone posing as a courier slips in behind an employee at the front entrance.
  • How to spot it: unfamiliar people without badges, someone avoiding access procedures.
  • Protection: “Don’t hold the door” policy, badge checks, turnstiles, report security concerns.

Vishing (voice phishing)

  • What it is: Phone scams — the attacker pretends to be from a bank, coworker, or IT to obtain data or force an action.
  • Example: “We detected suspicious card activity — tell me your CVV and card number.”
  • How to spot it: phone calls with pressure to share sensitive information quickly.
  • Protection: training (never share sensitive info over the phone), verify the number, clear policies for caller verification.

Quid pro quo (something for something)

  • What it is: Offering a service in exchange for information or access — e.g., a fake “tech” worker offering help.
  • Example: A caller offers to install an update in exchange for temporary login access.
  • How to spot it: someone offers a “quick fix” or service in exchange for access.
  • Protection: never provide credentials or remote access without authorization, clear processes for IT work and support.

Watering hole attacks

  • What it is: The attacker compromises websites frequently visited by the target group and uses them to deliver malicious content.
  • Example: An infected professional association website visited by company staff.
  • How to spot it: unusual behavior after visiting a trusted site, alerts from security tools.
  • Protection: keep browsers up to date, use EDR, allow/deny lists, monitor for anomalies.

Why is it called “social engineering”?

  • “Social” because it exploits interactions, relationships, trust, and human behavior. The attacker manipulates a person into doing something they wouldn’t otherwise do (e.g., revealing a password).
  • “Engineering” because it’s a deliberate, systematic process. Attackers plan, test, and refine their methods to reach their goal, similar to an engineering process.
Recommended to know