When we picture a cyber attack, we often imagine someone hacking through technical defences. In reality, many of the most damaging breaches begin with something far simpler: manipulating a person. This is social engineering — and it's one of the most effective tools in an attacker's kit.
Why It Works
Social engineering exploits human nature rather than software flaws. Attackers rely on trust, authority, urgency, curiosity and the desire to be helpful. Because it targets people, even organisations with strong technical defences can fall victim.
Common Techniques
- Phishing — fraudulent emails or messages that trick people into revealing information or clicking malicious links.
- Pretexting — inventing a believable scenario, such as posing as IT support, to extract information.
- Baiting — tempting victims with something desirable, like a free download or a "lost" USB drive.
- Tailgating — physically following an authorised person into a secure area.
- Business email compromise — impersonating an executive or supplier to authorise fraudulent payments.
How to Defend Against It
Because social engineering targets people, defence must too. The most resilient organisations combine technology with a strong security culture:
- Regular, engaging awareness training and phishing simulations.
- Clear verification processes for sensitive requests — especially payments and access changes.
- A blame-free culture that encourages people to report mistakes and suspicions quickly.
- Technical controls like multi-factor authentication that limit the damage of stolen credentials.
Social engineering will always exist because human nature doesn't change. But with awareness, good processes and the right culture, your people can become your strongest defence rather than your greatest vulnerability.