eastbaycyber

What is social engineering?

FAQs 5 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

Social engineering is the practice of manipulating people into taking actions that help an attacker. That can include sharing passwords, approving MFA prompts, opening malicious files, changing payment details, or granting physical or remote access.

What is social engineering? It is the use of deception, pressure, impersonation, or trust to trick people into giving up credentials, money, access, or sensitive information. Unlike attacks that start by exploiting software flaws, social engineering attacks target human behavior first. The attacker’s goal is to get someone to click, approve, share, transfer, disclose, or grant access before they stop to verify what is really happening.

How social engineering works

Social engineering works because people make decisions quickly, especially when a message feels urgent, familiar, or authoritative. Attackers build on that by making a request seem normal enough that the target acts before verifying it.

Instead of directly breaking into a system, the attacker tries to persuade a person to open the door.

That might mean convincing someone to:

  • click a fake login link
  • open a malicious attachment
  • read off a one-time passcode
  • approve a fraudulent payment
  • reset access for an impostor
  • share internal data
  • let someone into a restricted space

This is why social engineering is often described as human hacking. The attacker is exploiting trust, routine, fear, urgency, or helpfulness rather than a software bug.

Why social engineering is effective

Even strong organizations are vulnerable because many normal business processes rely on quick judgment and trust. Attackers commonly use psychological triggers such as:

  • urgency: “This needs to happen immediately.”
  • authority: “I’m from IT, finance, legal, or executive leadership.”
  • fear: “Your account will be disabled if you do not act now.”
  • trust: “I’m your coworker, vendor, or bank.”
  • curiosity: “See the attached confidential file.”
  • helpfulness: “Can you help me regain access?”

A message does not need to be perfect to work. It only needs to sound believable enough in the right moment.

For a related entry point, see what is phishing.

Common types of social engineering attacks

Phishing

Phishing is the most familiar form of social engineering. It usually arrives by email and tries to get the victim to:

  • click a fake login page
  • open a malicious file
  • share credentials
  • approve a fake request
  • install malware

Variants include spear phishing, which targets a specific person, and whaling, which targets executives or other high-value staff.

Vishing and smishing

  • Vishing uses phone calls or voicemail.
  • Smishing uses text messages or chat apps.

Examples include fake bank alerts, fake help desk calls, or delivery texts that push the user to click a malicious link.

Pretexting

Phishing and pretexting are closely related, but pretexting usually involves a more developed story. The attacker creates a believable scenario to gain trust or pressure the target.

They may pretend to be:

  • a help desk analyst
  • an auditor
  • a vendor
  • a recruiter
  • a locked-out employee
  • a manager with an urgent request

The attack works because the request feels routine and plausible.

Business email compromise

Business email compromise involves impersonating executives, finance staff, vendors, or legal contacts to push for:

  • wire transfers
  • invoice payment changes
  • payroll updates
  • disclosure of sensitive documents

These attacks often do not require malware. If the impersonation is convincing enough, the deception alone may be sufficient.

For more on that threat, see what is business email compromise.

Baiting and quid pro quo

Baiting offers something enticing, such as:

  • free software
  • a shared document
  • a prize or gift
  • a USB device left in a common area

Quid pro quo offers a service in exchange for information, such as fake tech support asking for credentials to “fix” a problem.

Physical social engineering

Not all social engineering happens online. Attackers may also:

  • tailgate into secure areas
  • impersonate delivery or maintenance staff
  • photograph badges, screens, or whiteboards
  • ask for access in person
  • drop infected media in office areas

This matters because digital and physical compromise often overlap.

Social engineering examples in real life

Many social engineering examples follow a similar pattern:

  1. The attacker researches the target, company, vendor, or process.
  2. They send a message, place a call, or approach in person.
  3. The request creates urgency or leverages trust.
  4. The victim shares information, sends money, or grants access.
  5. The attacker uses that opening for fraud, account takeover, malware deployment, or lateral movement.

In many incidents, the manipulation is just the first stage. It may lead to ransomware, mailbox compromise, or data theft later.

How to prevent social engineering

If you are asking how to prevent social engineering, the answer is not awareness alone. Training matters, but strong controls and process design matter more because they reduce the damage from one bad decision.

Helpful defenses include:

  • phishing-resistant MFA where possible
  • callback verification for sensitive requests
  • approval workflows for payment and vendor changes
  • least-privilege access
  • email filtering and domain protection
  • help desk identity verification procedures
  • clear reporting channels for suspicious messages
  • monitoring for unusual login and mailbox behavior
  • regular practice with realistic attack scenarios

A password manager can also help reduce credential reuse and make fake login pages easier to spot because saved credentials will not autofill on the wrong site. 1Password is one option some readers use to improve password hygiene as part of a broader identity security strategy.

For devices used by less technical users or small teams, endpoint protection may also help catch some payloads that follow a successful social engineering click. Malwarebytes is one option readers may consider as one layer, though it should not be treated as a substitute for process controls or MFA.

Common misconceptions

“Social engineering just means phishing”

No. Phishing is one type of social engineering, but the category also includes phone scams, pretexting, impersonation, text-based fraud, and in-person manipulation.

“Only non-technical users fall for it”

False. Executives, administrators, finance staff, and technical users are all targeted. A believable context can work on almost anyone.

“This is a people problem, not a security problem”

It is both. Social engineering targets people, but preventing real impact depends on security controls, access design, and business process safeguards.

“Annual awareness training is enough”

No. Attack techniques change constantly. Training helps, but verification workflows, MFA, and strong approval controls are what meaningfully reduce risk.

“Social engineering is always low-tech”

Not anymore. Many attacks are well researched, timed around real business events, and supported by compromised mailboxes, fake portals, or realistic impersonation.

Final takeaway

Social engineering is best understood as an attack on judgment and trust. The attacker is trying to manipulate a person into doing something that gives up access, money, or information. The best defense is not expecting people to be perfect. It is designing systems, approvals, and identity controls so one rushed decision does not turn into a major incident.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.