When people imagine a cyberattack, they often picture a hacker in a dark room running code to crack a password. The reality is far less technical — and far more dangerous. The most effective attackers don’t break into systems through software vulnerabilities. They break in through people.
Social engineering is the art of manipulating individuals into revealing confidential information, clicking malicious links, or granting access to systems — all without touching a line of code. It exploits trust, urgency, fear, and helpfulness: the very qualities that make people good colleagues and cooperative humans.
Understanding how these attacks work is the first step to defending against them.
What Is Social Engineering?
Social engineering is any technique that uses psychological manipulation to deceive someone into taking an action that benefits an attacker. The goal might be to obtain a password, gain physical access to a building, authorise a fraudulent payment, or install malware.
Unlike technical hacking, social engineering requires no specialist tools or knowledge of software vulnerabilities. It requires an understanding of human psychology — and most people are predictable when placed under pressure or approached with apparent authority.
Social engineering attacks affect individuals and businesses of all sizes. Many of the largest data breaches in history — including the 2020 Twitter hack, the 2021 Colonial Pipeline ransomware attack, and countless banking frauds — involved a social engineering component.
Phishing
Phishing is the most widespread form of social engineering. The attacker sends an email designed to look like it comes from a legitimate organisation — a bank, a delivery company, Microsoft, or a government department — with the goal of getting the recipient to click a link or open an attachment.
The link typically leads to a convincing fake login page that harvests the victim’s credentials. The attachment may install malware or ransomware.
Phishing emails often create urgency: “Your account has been suspended — verify your identity immediately.” They exploit the fear of losing access or facing a penalty. In 2026, AI-generated phishing emails are increasingly difficult to distinguish from genuine communications — grammar errors and awkward phrasing, once a reliable warning sign, are largely gone.
For a deeper look at how AI is changing phishing, see our article on AI-powered phishing attacks in 2026.
Spear Phishing
Where standard phishing casts a wide net, spear phishing is targeted. The attacker researches their target — often using LinkedIn, company websites, and social media — and crafts an email that feels personally relevant.
For example, an attacker targeting a finance team member might send an email appearing to be from the company’s CEO:
“Hi Sarah, I’m in a meeting and need you to process an urgent wire transfer for a new supplier. Can you action this today? Details attached.”
This is called a Business Email Compromise (BEC) attack. It combines spear phishing with impersonation and is responsible for billions of pounds in losses to businesses each year. The attacker doesn’t need to hack any system — they just need Sarah to trust what looks like a message from her boss.
Vishing (Voice Phishing)
Vishing is phishing conducted over the phone. An attacker calls the target impersonating a trusted authority — an IT support technician, a bank fraud department, HMRC, or a software vendor.
A typical vishing script might be: “Hi, I’m calling from Microsoft security. We’ve detected unusual activity on your Windows device. I need to help you secure it remotely — can you go to your computer and type the following?” The attacker then walks the victim through installing remote access software.
AI-generated voice cloning now allows attackers to impersonate specific individuals. Cases have been reported of employees receiving calls that sound exactly like their manager or CEO, authorising wire transfers or sharing access credentials.
Smishing (SMS Phishing)
Smishing uses text messages rather than email. The format is similar to phishing but takes advantage of the fact that people tend to trust and act on text messages more quickly than emails.
Common smishing attacks include fake parcel delivery notifications (“Your package is on hold — click here to reschedule”), bank fraud alerts, and HMRC tax refund messages. The links lead to credential-harvesting sites or prompt the victim to call a fraudulent number.
Pretexting
Pretexting involves creating a fabricated scenario — a pretext — to extract information or access. The attacker invents an identity and a reason for the interaction that makes their request seem legitimate.
Real-world examples include:
- An attacker calling a company’s IT helpdesk, claiming to be a new employee who has been locked out of their account on their first day. Helpdesk staff, wanting to be helpful, may reset credentials without following verification procedures.
- A “journalist” contacting employees to gather background information about internal systems or security practices for a supposed article.
- A “supplier” asking accounts payable to update bank details — ahead of a large invoice payment.
Pretexting attacks are particularly effective because the attacker controls the narrative. By establishing a believable context first, they make the target feel that co-operating is the right thing to do.
Baiting
Physical Baiting: USB Drops
A classic baiting attack involves leaving infected USB drives in car parks, reception areas, or office kitchens, labelled with something intriguing: “Salary Review 2026” or “Confidential — Board Meeting”. Curiosity is a powerful motivator. When an employee plugs it in, malware is automatically installed.
Studies have consistently found that a significant percentage of people will plug in a found USB drive. Even security-aware organisations are vulnerable if staff haven’t been trained on this specific threat.
Online Baiting
Online baiting offers something desirable in exchange for credentials or a download. Free software, pirated media, or access to exclusive content that actually installs malware or redirects to a credential-harvesting page.
Quid Pro Quo
Quid pro quo attacks offer a service in exchange for information. An attacker might call staff at random claiming to be from IT support and offer to help with a computer problem — in exchange for the user’s login details to “diagnose” the issue. The offer of help makes the exchange feel fair and reasonable.
Tailgating and Physical Access
Not all social engineering is digital. Tailgating (also called piggybacking) is when an unauthorised person follows an authorised employee through a secure door — taking advantage of politeness. Most people hold a door open for someone who appears to be a colleague carrying boxes or dressed in a uniform.
Physical social engineering can be combined with digital attacks — an attacker who gains access to an office can plant devices on the network, access unlocked computers, or steal physical documents.
How to Defend Against Social Engineering
Verify Before You Trust
The single most effective defence is to independently verify any request for sensitive action before complying. If you receive an email from your CEO asking for an urgent transfer, call them on a known phone number — not the one provided in the email — to confirm.
Slow Down on Urgency
Urgency is the attacker’s greatest weapon. When a request feels pressured — “do this now or face consequences” — treat that as a red flag, not a reason to rush. Legitimate organisations give you time to verify. Attackers do not.
Use Multi-Factor Authentication (MFA)
Even if an attacker successfully obtains a password through phishing, MFA prevents them from using it. Hardware security keys provide the strongest protection against phishing-specific credential theft. See our guide on multi-factor authentication solutions for an overview of available options.
Train Your Staff
Regular security awareness training — including simulated phishing tests — significantly reduces the click rate on phishing emails. Training should be ongoing, not a one-off induction exercise, because attack techniques evolve constantly.
Use a Password Manager
Password managers that autofill credentials only on the correct domain provide protection against lookalike phishing sites. If you’re on paypa1.com instead of paypal.com, your password manager won’t autofill — giving you a moment to notice the discrepancy. See our guide to password managers for recommendations.
Clear Policies for Sensitive Actions
Businesses should have documented, enforced policies for sensitive actions such as wire transfers, password resets, and access provisioning. Policies that require dual authorisation or out-of-band verification for financial transactions remove the ability for a single social engineering attack to succeed.
Summary
Social engineering is effective because it targets humans rather than systems — and humans are far harder to patch than software. The attacks described in this guide work because they exploit normal human responses: trust, helpfulness, urgency, and curiosity.
Defending against them requires a combination of technical controls (MFA, password managers) and cultural ones (trained, sceptical staff and clear verification procedures). The most secure organisations treat every unexpected request for access or information as suspicious until verified — not because they distrust their colleagues, but because they understand how attackers think.
