The Plain English Version
Social engineering is manipulating people into giving up confidential information or taking actions that compromise security. It exploits human psychology rather than technical vulnerabilities.
Attackers know that people are often the weakest link. It is easier to trick someone into revealing a password than to crack it technically.
Common Techniques
Phishing: Fraudulent emails impersonating trusted sources
Pretexting: Creating a fake scenario to extract information
Baiting: Offering something enticing (infected USB drives)
Tailgating: Following authorised people into secure areas
Quid pro quo: Offering help in exchange for information
Why It Works
- Authority - We tend to comply with people in positions of power
- Urgency - Time pressure makes us skip normal checks
- Fear - Threats make us act without thinking
- Helpfulness - We want to help colleagues and customers
- Trust - We assume good intentions from familiar sources
- Curiosity - We cannot resist clicking on intriguing content
Real-World Examples
A caller claiming to be from IT support who needs your password to fix a problem. An email from the CEO urgently requesting a wire transfer. A USB drive labelled confidential left in the car park. A fake delivery person requesting access to deliver a package.
These attacks succeed because they feel legitimate and play on normal human responses.
Building Defences
Technical controls help (email filtering, MFA) but the real defence is awareness. Staff need to recognise manipulation techniques and feel empowered to verify unusual requests - even from apparent authority figures.
Create a culture where questioning is encouraged. Establish verification procedures for sensitive requests. Regular training and simulated attacks keep awareness high.