Home Threats Social Engineering

Social Engineering

Published:

Aug 11, 2025

Updated:

Who can use this content?

Individuals

What is Social Engineering?

Social engineering is the art of manipulating people into giving away confidential information or performing actions that compromise security. Social engineers “hack” human psychology — exploiting trust, fear, urgency, or curiosity.

Common types of social engineering

Phising

Phishing is a social engineering attack where cybercriminals create fake emails, websites, messages, or calls pretending to be from trusted sources to trick individuals into disclosing sensitive information.

Spear Phishing

Similar to phishing, spear phishing is a targeted attack aimed at specific people or organisations, often using personal details to seem legitimate.

Vishing

Voice phishing or vishing is a type of phishing attack done via phone calls. Attackers can call pretending to be from banks, companies or government agencies.

Pretexting

Pretexting is an attack where a fake scenario is created to get information. Attackers create a false identity or situation to manipulate victims into divulging information. For instance, a cybercriminal can pretend to be from HR and request you to give them your personal information.

Baiting

Baiting is an attack where an attacker uses a false promise to lure a victim into a trap. These traps can involve installing malware on a device or tricking the victim into revealing sensitive information.

Tailgating/Piggybacking

Tailgating/Piggybacking is when an attacker gains unauthorized physical access by following someone into a restricted area.  

Quid Pro Quo

Quid Pro Quo promises a benefit in exchange for information. An attacker pretending to be from a trusted source could offer a service in exchange for sensitive information or access.

Common targets of social engineering

Malicious actors usually focus on people or groups with access to valuable resources, information, or systems. While targets of social engineering are usually certain individuals with access to sensitive data or systems, anyone can be affected by social engineering attempts. Some examples of targets include;

  • Employees with privileged access (system admins, executives)

  • Finance and HR staff (due to payroll, tax, and payment data)

  • Customer service or help desk teams (can reset accounts)

  • New hires (less familiar with company procedures)

  • Suppliers and contractors (weaker security controls)

  • Individuals using social media heavily (easier to gather personal data)

  • Public-facing staff (receptionists, call center agents)

How to protect yourself from social engineering?

Here are some strategies for staying vigilant online and defending against social engineering attempts;

  • Be skeptical of unexpected requests. Verify and confirm any messages or emails that you receive before disclosing personal information.
  • Don’t click suspicious links. Hover over the link to check the legitimacy of the URLs.
  • Don’t overshare online. Attackers may use the information you share online to craft their attacks against you.
  • Use multi-factor authentication. This adds an extra layer of protection even if passwords are stolen.
  •  Educate yourself and others. Awareness is the best defense.