What is Social Engineering?
Social engineering attacks work because humans are wired to be helpful, to respect authority, and to act quickly under pressure. Attackers exploit these instincts to get people to hand over passwords, transfer money, install malware, or open doors—both physical and digital.
Unlike technical attacks that target software flaws, social engineering targets the human operating system. You can patch every server and deploy every security tool on the market, but one convincing phone call to your help desk can undo all of it. That's what makes social engineering so dangerous and why it's involved in the majority of successful breaches.
Types of Social Engineering Attacks
Phishing
Fraudulent emails, text messages (smishing), or voice calls (vishing) impersonating trusted entities. The most common social engineering attack by far. See our phishing email examples for real-world samples and red flags.
Pretexting
Creating a fabricated scenario to extract information. An attacker might pose as an IT technician needing your password "for maintenance," or a vendor rep verifying account details. The key is a believable story that establishes trust before asking for something sensitive.
Business Email Compromise (BEC)
Impersonating executives, vendors, or partners to authorize fraudulent wire transfers or sensitive data transfers. BEC caused over $2.9 billion in losses in 2023 according to the FBI. Attackers often compromise real email accounts or use lookalike domains.
Baiting
Luring victims with something appealing—a USB drive labeled "Salary Info" left in a parking lot, a free movie download that's actually malware, or a fake job offer that leads to credential harvesting. Exploits curiosity and greed.
Tailgating / Piggybacking
Physically following an authorized person into a restricted area. "Hey, can you hold the door? My hands are full." Exploits politeness and the awkwardness of challenging someone in person.
Quid Pro Quo
Offering something in exchange for information or access. "I'm from IT support, I can fix your slow computer if you give me your login credentials." Targets people frustrated with technical problems.
The Psychology Behind Social Engineering
Robert Cialdini identified six principles of persuasion that social engineers exploit systematically:
Authority
"I'm calling from the CEO's office..." People comply more readily with requests from perceived authority figures.
Urgency / Scarcity
"This must be done in the next 30 minutes..." Time pressure bypasses careful thinking and verification.
Reciprocity
Doing a small favor first creates obligation. "I helped you fix your printer, now could you..."
Social Proof
"Everyone in the department already gave me their credentials..." People follow what others appear to be doing.
Liking
Building rapport before the ask. Friendly, relatable attackers are harder to refuse.
Commitment
Starting with small, harmless requests that escalate. Once you've said yes once, it's harder to say no.
Real-World Social Engineering Attacks
MGM Resorts (2023)
The Scattered Spider group called MGM's IT help desk, impersonated an employee found on LinkedIn, and convinced staff to reset their MFA. This single phone call led to a breach that cost MGM over $100 million in damages and shut down casino operations for days.
Attack type: Vishing + Pretexting
Twitter/X (2020)
A 17-year-old convinced Twitter employees they were a co-worker via phone calls, gaining access to internal admin tools. They hijacked accounts of Barack Obama, Elon Musk, and others to run a Bitcoin scam. Total take: $120,000. Total damage to Twitter: incalculable.
Attack type: Vishing + Pretexting
Ubiquiti (2015)
Attackers impersonated Ubiquiti executives via email, requesting wire transfers from the finance department. The company lost $46.7 million before the fraud was discovered. No malware, no hacking—just convincing emails.
Attack type: Business Email Compromise
How to Protect Against Social Engineering
Verify identity through a separate channel
If you receive an unusual request by email, verify it by calling the person directly using a known phone number—not one provided in the suspicious message.
Slow down and question urgency
Social engineers create time pressure to bypass rational thinking. Any request that demands immediate action deserves extra scrutiny.
Follow established procedures
Legitimate organizations have processes for wire transfers, password resets, and sensitive requests. If someone asks you to bypass the process, that's a red flag.
Report suspicious requests
Report social engineering attempts to your security team. Even failed attempts provide valuable intelligence about what attackers are targeting.
Train regularly with simulations
Organizations should run phishing simulations and social engineering exercises. People who practice recognizing attacks are far better at catching them.
For organizations
Deploy phishing-resistant MFA (hardware security keys), implement call-back verification for financial requests, and run regular social engineering tabletop exercises. Technology alone won't stop these attacks—processes and culture are equally important.
Frequently Asked Questions
What is the difference between social engineering and phishing?
Phishing is one type of social engineering. Social engineering is the broader category covering any attack that manipulates human psychology—phishing, pretexting, baiting, tailgating, and more. Phishing specifically refers to fraudulent communications (usually email) impersonating trusted entities.
Can social engineering attacks bypass MFA?
Some can. Adversary-in-the-middle (AiTM) phishing proxies real-time session tokens, bypassing TOTP codes. SIM swapping defeats SMS-based MFA. Only hardware security keys (FIDO2/WebAuthn) are fully resistant to phishing-based social engineering.
Who are the most targeted victims of social engineering?
Finance departments (wire fraud), IT help desks (password resets), executives (CEO fraud), new employees (unfamiliar with procedures), and anyone with privileged access. Attackers do reconnaissance to identify the best targets within an organization.