Social Engineering

Social engineering is the broad category of attack techniques that exploit human psychology rather than technical vulnerabilities. Instead of compromising systems directly, attackers manipulate people — employees, help desk agents, executives, or customers — into taking actions that serve the attacker's objectives. These actions include revealing credentials, transferring funds, installing malware, or granting system access. Social engineering is the human layer of nearly every modern cyberattack.

The majority of security breaches involve a human element. Technical controls — firewalls, endpoint detection, MFA — are consistently undermined when an attacker can convince a person to voluntarily bypass them. Social engineering is effective across every attack surface: email, phone (vishing), SMS (smishing), in-person, and through social media. Because it targets human cognition rather than software, it cannot be patched. Effective detection requires understanding the psychological patterns attackers exploit.

Social engineering attacks are built on a small set of influence principles: authority (impersonating an executive, IT department, or regulator to compel compliance), urgency (creating artificial time pressure to prevent careful evaluation), scarcity (implying a limited window to act), social proof (fabricating consensus or shared context), and fear (threatening negative consequences for inaction). In phishing, these principles are embedded in email body content: subject lines containing URGENT or ACTION REQUIRED, body text referencing an overdue invoice, a suspended account, or a compliance deadline. Attackers combine these with a plausible sender identity and a contextually appropriate pretext to maximize the likelihood of compliance.