AlignTrust
Threats & Attacks

Social Engineering

Psychological manipulation techniques used by attackers to trick people into revealing information, granting access, or taking actions that compromise security.

What Is Social Engineering?

Social engineering is the use of psychological manipulation to deceive people into divulging confidential information or performing actions that benefit an attacker. Unlike technical attacks that exploit software vulnerabilities, social engineering exploits human psychology — trust, authority, urgency, fear, and helpfulness.

It's often described as "hacking people" rather than hacking systems — and it's devastatingly effective. Even organisations with strong technical security can be compromised through a well-crafted social engineering attack.

Common Social Engineering Techniques

Phishing: Fraudulent emails, texts, or calls impersonating trusted entities to steal credentials or deliver malware.

Pretexting: Creating a fabricated scenario to extract information. A classic example: an attacker calls IT support claiming to be a new employee locked out of their account.

Baiting: Leaving infected USB drives in company car parks or lobbies, hoping an employee plugs one in.

Quid pro quo: Offering a service or benefit in exchange for information ("I'll fix your computer issue — just confirm your password first").

Tailgating / piggybacking: Following an authorised employee into a secure area without swiping a badge.

Business Email Compromise (BEC): Impersonating executives or suppliers via email to authorise fraudulent wire transfers or share sensitive data.

Vishing: Voice phishing — calls from fake IT support, banks, or government agencies.

Why Social Engineering Works

Humans are wired for social trust. We respond to authority, urgency, and familiarity. Attackers exploit this by:

  • Creating time pressure ("Your account will be suspended in 2 hours")
  • Leveraging authority ("I'm calling from the CEO's office")
  • Using familiarity ("I saw on LinkedIn you're working on Project X")
  • Appealing to helpfulness ("I just need this one thing to finish my report")

Defending Against Social Engineering

  1. Security awareness training: Regular training on recognising social engineering tactics
  2. Verification procedures: Always verify unusual requests through a known-good channel
  3. Strong MFA: Even if credentials are stolen, MFA blocks many attacks
  4. Clear escalation paths: Staff should feel safe reporting suspicious interactions without blame
  5. Out-of-band verification for wire transfers: Financial requests over email must be confirmed by phone

Related Terms

PhishingCredential StuffingMulti-Factor Authentication (MFA)Vendor Risk Management
← Back to Security Glossary