An Introduction to Social Engineering Attacks

Social engineering attacks are the category of cyberattack where the target is a person rather than a technical system. The attacker manipulates the target into surrendering information, granting access, or taking an action that compromises security. Phishing emails, pretexting phone calls, baiting USB drops, and tailgating into restricted areas are all forms of social engineering. Per Verizon’s annual Data Breach Investigations Report, the human element appears in the substantial majority of breach incidents year after year. For businesses defending against modern threats, social engineering is the most common attack vector and the one most worth understanding systematically.

This post covers the major categories of social engineering attacks, why they work despite decades of awareness training, and the practical defenses that meaningfully reduce risk. For specific coverage of phishing (the most common form of social engineering), see our phishing piece; for broader security context, our Zero Trust security explainer covers the architectural side of the same problem.

The major types of social engineering attacks

The category spans several distinct attack patterns, each with its own tradecraft:

• Phishing: the most common form. Attackers send fraudulent communications (email, SMS, voice calls, social media messages) impersonating trusted entities to trick targets into surrendering credentials, money, or sensitive information. The variants include spear phishing (targeted), whaling (executive-targeted), smishing (SMS), vishing (voice), and clone phishing (copies of legitimate emails).
• Pretexting: the attacker invents a scenario (a “pretext”) that makes the target believe surrendering information or access is legitimate. A common pretext: an attacker impersonates an IT support technician, calls an employee, and asks for credentials to “fix a problem.” The fabricated context makes the request seem reasonable.
• Baiting: the attacker leaves something tempting (a USB drive labeled “Q3 Layoffs,” a free download, a deal too good to pass up) and waits for a target to take the bait. The USB drive contains malware; the free download is malicious; the deal harvests credentials.
• Tailgating (also called piggybacking): physical social engineering where an attacker follows an authorized employee through a controlled-access door, exploiting politeness or distraction. Effective for any access control that depends on humans not holding doors open for strangers.
• Quid pro quo: the attacker offers a benefit in exchange for information or access. “I’ll help you with this IT problem; just give me your password so I can log in to check.” The exchange feels reciprocal and reasonable.
• Scareware: fake security alerts that scare the target into installing malware (“Your computer is infected! Click here to clean it!”). Common on web pop-ups and through compromised ad networks.
• Watering hole attacks: the attacker compromises a website the target group frequently visits, planting malware that infects visitors. Indirect social engineering: the target’s trust in the legitimate site is what enables the attack.
• Business email compromise (BEC): the most financially damaging category. An attacker impersonates a senior executive or trusted vendor and tricks an employee into making a fraudulent wire transfer or changing payment information.

The variety reflects an attacker innovation cycle. As one tactic gets defended, attackers shift to others. A complete defense addresses the underlying human-manipulation dynamic, not just specific tactics.

Why social engineering works

Three psychological dynamics make social engineering effective despite extensive awareness efforts:

• Authority and urgency: humans defer to authority and react to urgency. An email “from the CEO” requesting immediate action triggers reaction before evaluation. A call “from IT” with a fix for an urgent problem gets compliance because pushing back feels obstructive.
• Reciprocity and social proof: humans return favors and follow group behavior. An attacker who offers help (real or fake) often gets compliance in return. An attacker who name-drops colleagues (“Jane mentioned you’d know about this”) leverages the social signal that the request is legitimate.
• Cognitive load and busy users: most attacks target people under time pressure. Pause-and-evaluate is the defense; busy-and-react is what attackers exploit. The harder a target is working, the easier the attack lands.

These dynamics are not failures of intelligence or attention. They are how human cognition works. Awareness training reduces susceptibility but does not eliminate it. The defense has to be a combination of awareness, technical controls, and process discipline.

The practical defenses

Defense splits into three categories, in order of effectiveness:

Technical controls (the highest-leverage layer):

• Phishing-resistant MFA: FIDO2 hardware keys, passkeys, or platform authenticators that cannot be phished. The most important single defense against credential theft.
• Email authentication: SPF, DKIM, and DMARC configured strictly. Prevents attackers from spoofing your domain to your employees and customers.
• Email security gateways: Microsoft Defender for Office 365, Google Workspace built-in protections, Proofpoint, Mimecast. Filter the majority of phishing before reaching inboxes.
• Web filtering: DNS-level (Cloudflare Gateway, Cisco Umbrella) and proxy-level filtering blocks known phishing sites.
• Endpoint protection (EDR): detects and stops malicious payloads when phishing or baiting succeeds despite the other layers.
• Physical access controls: badge systems with anti-tailgating sensors, mantrap entries for high-security areas, security guards. The defenses for tailgating specifically.

Process controls:

• Out-of-band verification for high-value requests: any wire transfer, payment-information change, password reset for a privileged account, or sensitive data release requires verification through a channel different from the original request. The BEC defense specifically.
• Vendor management: known contacts, established processes, escalation paths for unusual requests. Reduces the success rate of pretexting attacks against operations roles.
• Incident response readiness: clear processes for reporting suspected attacks, triaging them, and containing the damage when one succeeds.
• Visitor management: badge systems, escorts, signed-in records. The defenses against tailgating and other physical pretexting.

Awareness training (necessary but bounded):

• Regular phishing simulation campaigns: monthly or quarterly. Identifies users repeatedly susceptible; targeted additional training; tracks aggregate trend.
• Scenario-specific training: BEC, wire fraud, credential phishing, payroll diversion. Generic “be careful” training plateaus quickly; scenario-specific training continues to produce gains.
• Easy reporting mechanism: a “Report Phishing” button in the email client. Make reporting easier than ignoring suspicious messages.
• Cultural reinforcement: leadership modeling good behavior; treating phishing-victim disclosures as learning moments rather than punishment; making security a shared responsibility.

The combined approach is what works. Technical controls catch most attacks before they reach users; process controls catch what slips through and reaches high-value actions; awareness training reinforces good behavior at the user level. Reducing reliance on any single layer is the design principle.

Update (2026-05-12): social engineering landscape since this post first published.

The defenses described in this post remain the right framework. The attack landscape has evolved:

• AI-generated social engineering has become the norm. Generative AI produces convincing phishing emails, voice clones (vishing), and even video deepfakes in any language without the grammatical or factual errors that previously signaled attacks. The detection problem is harder than the generation problem.
• MFA bypass attacks have grown. Adversary-in-the-middle (AiTM) phishing kits capture credentials and MFA codes in real time, defeating SMS and TOTP MFA. Phishing-resistant FIDO2 / passkey MFA remains effective.
• Voice deepfakes in BEC: a fake call from "the CEO" requesting an urgent wire transfer is now an operational attack pattern, not a theoretical one.
• AI-powered defenses like OpenAI’s Daybreak add a layer of detection capability that previous-generation security tools could not match.
• Passkey adoption has accelerated as a defensive response. Major platforms (Google, Microsoft, Apple, Amazon) now offer passkeys as primary authentication.
• Regulatory tightening in many jurisdictions (SEC cybersecurity disclosure, NIS2 in the EU) has increased the consequences of successful attacks, raising the priority of defenses across business sizes.

The categories of social engineering in this post still describe the attack space; AI-powered variants have intensified each. The defenses still apply, with passkey adoption now being substantially more practical than it was in 2022.

Frequently Asked Questions