What Is Social Engineering: Phishing, Pretexting, and Human Hacking

What Is Social Engineering?

Social engineering is the art of manipulating people into divulging confidential information or performing actions that compromise security. Unlike traditional hacking, which targets software vulnerabilities, social engineering targets the most unpredictable element in any security system: the human being. Attackers exploit trust, authority, fear, urgency, and curiosity to bypass technical defenses that would otherwise stop them cold.

The term covers a wide range of deceptive tactics, from elaborate multi-week impersonation campaigns to a single fraudulent email. What unites them is the reliance on psychological manipulation rather than brute-force code-breaking. Security experts often say that a well-crafted social engineering attack is cheaper, faster, and more reliable than trying to exploit a patched software vulnerability.

The consequences are severe. According to the Verizon Data Breach Investigations Report, social engineering is involved in a majority of all data breaches. Attackers use it to steal credentials, install malware, transfer funds, and gain physical access to restricted facilities. No organization—from a small startup to a Fortune 500 company—is immune.

Phishing: The Most Common Attack Vector

Phishing is the sending of fraudulent communications—typically emails—that appear to come from a trusted source, with the goal of tricking recipients into revealing sensitive data or clicking a malicious link. The name comes from "fishing," because attackers cast a wide net hoping someone will take the bait. A mass phishing campaign might send millions of emails to harvest a small percentage of victims.

Spear phishing is a targeted variant. Instead of a generic message, attackers research their target—scraping LinkedIn profiles, company websites, and social media—to craft a highly personalized email. A spear-phishing message might reference a real colleague's name, a recent company project, or a specific internal system, making it extraordinarily convincing. Executive impersonation, sometimes called CEO fraud or Business Email Compromise (BEC), is a particularly damaging form that has cost companies billions of dollars.

Whaling targets high-level executives specifically. A "whale" attack against a CFO might involve an email appearing to come from the CEO asking for an urgent wire transfer. Smishing extends phishing to SMS text messages, while vishing (voice phishing) uses phone calls. In a vishing attack, a caller might impersonate an IRS agent, a bank fraud department, or an IT helpdesk to extract account credentials or Social Security numbers.

Pretexting: Building a False Scenario

Pretexting involves creating a fabricated scenario—a "pretext"—to extract information from a victim. The attacker adopts a false identity and invents a situation that makes their request seem legitimate. Common pretexts include posing as a new employee who needs access credentials, a vendor performing a routine audit, a bank security agent verifying account activity, or a technician who needs to remotely access a computer to fix a problem.

A sophisticated pretexting attack may unfold over days or weeks. The attacker might first call the IT helpdesk pretending to be an employee, gather names of real employees and internal system names, and then use that information to make a follow-up call to a different department appear completely credible. Each interaction builds the attacker's knowledge and cover story.

The 2011 RSA SecurID breach began with a phishing email containing a spreadsheet titled "2011 Recruitment Plan." Employees who opened it installed a backdoor that eventually led attackers to steal SecurID seed values. Similarly, the 2020 Twitter hack involved attackers calling Twitter employees, impersonating IT staff, and convincing them to hand over credentials to internal tools—then using those tools to take over high-profile accounts including those of Barack Obama and Elon Musk.

Other Social Engineering Techniques

Baiting involves leaving physical media—USB drives, CDs—in places where targets are likely to find them, hoping curiosity will compel someone to plug it in and unknowingly install malware. Studies have shown that people plug in found USB drives at remarkably high rates, even in security-conscious environments. Attackers label drives with enticing names like "Salary Data" or "Confidential" to increase uptake.

Quid pro quo attacks offer something in exchange for information. An attacker might call employees offering free IT support or a prize, then ask for login credentials to "verify their identity." Tailgating (or piggybacking) is a physical social engineering technique where an unauthorized person follows an authorized employee through a secured door, counting on politeness to prevent anyone from challenging them.

Scareware bombards victims with alarming fake alerts—pop-ups warning that their computer is infected and urging them to download "antivirus" software that is itself malware. Watering hole attacks compromise websites frequently visited by a target group, infecting visitors with malware. The attacker doesn't go to the victim; they poison a place the victim will naturally go.

Why Social Engineering Works: The Psychology

Social engineering succeeds because it exploits cognitive biases and social norms that are otherwise beneficial. Authority bias makes people inclined to comply with requests from figures of authority—a "boss," a "police officer," or an "IT department." Attackers impersonate these roles to make targets feel they have no choice but to comply. Urgency and scarcity trigger fight-or-flight instincts that override careful deliberation; a message that says "Your account will be closed in 24 hours" pushes people to act before they think.

Social proof leads people to follow the behavior of others. An attacker who says "I already spoke with your colleague Sarah who gave me this information" makes the target feel the action is already normalized. Reciprocity—the human inclination to return favors—is exploited by attackers who first offer something small before making their real request. Liking and familiarity make targets more cooperative; attackers who find common ground ("I see you went to Michigan too!") build rapport that lowers defenses.

Fear of conflict also plays a role. Many people will comply with an unusual request rather than create an awkward situation by asking questions. Security cultures that punish excessive caution make this worse. Organizations that train employees to "just be helpful" inadvertently cultivate the exact mindset attackers depend on.

Defending Against Social Engineering

Technical controls matter but are insufficient on their own. Multi-factor authentication (MFA) prevents credential theft from leading directly to account compromise—even if an attacker phishes a password, they still need the second factor. Email filters with anti-phishing AI can catch many mass phishing attempts. Domain-based Message Authentication, Reporting, and Conformance (DMARC) helps prevent email spoofing. But no technical control stops a human from voluntarily handing over their MFA code to a convincing caller.

Security awareness training is essential. Employees should understand the common pretexts attackers use, be trained to verify identities through official channels before acting on unusual requests, and feel empowered to say no or escalate suspicious contacts without fear of punishment. Simulated phishing exercises—sending fake phishing emails to employees and tracking who clicks—are one of the most effective ways to build and measure awareness, as long as the results are used for training rather than punishment.

Organizations should establish clear procedures for sensitive actions: wire transfers should require multi-person approval and voice confirmation via known phone numbers, not numbers provided by the requester. A callback policy—where employees hang up and call back using an official number—defeats most vishing attacks. Least-privilege access limits the damage any one compromised account can cause. Physical security measures, including visitor logs, badge-only access, and training employees to challenge unfamiliar people, reduce tailgating risks. Social engineering is ultimately a people problem that requires a people solution, reinforced by technology.