The most sophisticated technical security controls in the world can be bypassed by a phone call. Not because the controls fail — but because a person with the right access picks up the phone, trusts the caller, and hands over what the attacker needs. Social engineering is the exploitation of human psychology rather than software vulnerabilities, and it is consistently the most effective method attackers use to breach organizations.
Kevin Mitnick — one of the most notorious hackers in history — famously said that the human is the weakest link in the security chain. That was true when he said it decades ago. It is more true now, because AI has given attackers the ability to conduct sophisticated, personalized social engineering attacks at industrial scale.
Understanding how social engineering works is not optional for anyone in security — and it is increasingly important for everyone else too. These attacks target your colleagues, your family members, and your organization's vendors and partners just as readily as they target you.
How social engineering works — the psychological levers
Social engineering works by exploiting predictable human psychological responses. Attackers do not invent new psychology — they apply well-understood principles of influence to manipulate targets into taking specific actions. Understanding these principles is the starting point for recognizing when they are being used against you.
TRIGGER 01
Authority
People comply with requests from perceived authority figures — executives, IT departments, regulators, law enforcement. Attackers impersonate authority to bypass normal skepticism.
"This is the IT helpdesk. We need your credentials to resolve a critical security issue on your account."
TRIGGER 02
Urgency
Time pressure prevents deliberate thinking. When people feel rushed they skip verification steps and act on instinct. Manufactured urgency is a core social engineering technique.
"Your account will be permanently suspended in 30 minutes unless you verify your identity immediately."
TRIGGER 03
Fear
Fear of negative consequences — account closure, legal action, security breach, financial loss — bypasses rational evaluation. Attackers create fear to motivate compliance before reflection can occur.
"We have detected ransomware on your network. You must provide remote access immediately to prevent spread."
TRIGGER 04
Social proof
People look to others' behavior to guide their own. Attackers reference colleagues, managers, or processes to create the impression that the requested action is normal and expected.
"Sarah from finance already sent over her details. We just need yours to complete the audit."
TRIGGER 05
Liking and trust
People comply more readily with requests from people they like or feel connected to. Attackers build rapport, reference shared connections, and mirror communication styles to establish false trust.
"I was referred by your colleague James — he said you were the right person to speak to about this."
TRIGGER 06
Reciprocity
The obligation to return favors. Attackers do something helpful first — providing information, solving a problem — to create a sense of obligation that makes subsequent requests harder to refuse.
"I've already fixed the issue with your account — I just need you to confirm your password to complete the process."
The most common social engineering techniques
Deceptive emails, SMS messages, or social media communications that manipulate recipients into clicking malicious links, opening infected attachments, or providing credentials. Covered in depth in the phishing guide — the most common social engineering vector by volume.
REAL SCENARIO
An employee receives a convincing email appearing to be from their CEO asking them to purchase gift cards urgently for a client presentation. The email uses the CEO's name, writing style scraped from public communications, and creates urgency. The employee complies without verifying.
Creating a fabricated scenario — a pretext — to extract information or access. The attacker invents a plausible identity and situation that gives them a reason to request what they want. A classic example is impersonating an IT auditor who needs system access for a compliance review.
REAL SCENARIO
An attacker calls an employee claiming to be from the company's IT vendor conducting a routine security audit. They reference real internal systems and personnel names found on LinkedIn. They ask the employee to install a "diagnostic tool" — which is remote access malware.
Phone-based social engineering. Attackers call targets impersonating IT support, bank fraud departments, government agencies, or internal personnel. AI voice cloning now enables impersonation of specific named individuals using audio cloned from public recordings. The MGM Resorts breach in 2023 began with a vishing call to their IT helpdesk.
REAL SCENARIO — MGM 2023
Attackers called MGM's IT helpdesk impersonating an employee. Using information found on LinkedIn, they passed identity verification and convinced the helpdesk to reset credentials, providing the initial access for a $100M+ ransomware attack.
Physical social engineering — following an authorized person through a secured door without using your own credentials. Relies on social norms around holding doors for people and the awkwardness of challenging someone who appears to belong. More common than most organizations acknowledge.
REAL SCENARIO
An attacker dressed in business attire carrying a laptop bag and coffee follows an employee through a badge-access door, saying "thanks, my hands are full." Once inside they access an unattended workstation or plant a hardware keylogger.
Leaving physical media — USB drives, CDs — in locations where targets are likely to find and use them, relying on curiosity. Studies have shown that a significant percentage of people plug in unknown USB drives they find. Modern USB attacks can execute malware in seconds of connection.
REAL SCENARIO
USB drives labeled "Q3 Salary Review — Confidential" are left in a company car park. Multiple employees plug them into work computers. The drives execute malware immediately on connection, before any file is opened.
Offering something of value in exchange for information or access. Attackers call employees offering technical support, IT assistance, or other services in exchange for credentials or system access. The reciprocity principle makes people more willing to provide something after receiving something first.
REAL SCENARIO
An attacker calls employees claiming to be from IT, saying they are offering a free upgrade to the company VPN client. To "complete the upgrade," they need the employee's credentials. Employees who would refuse a cold request for credentials comply after receiving the "service."
How AI has changed social engineering
Social engineering has always been effective. AI has made it devastatingly scalable. The changes are not incremental — they are categorical.
Personalization at machine scale. Effective spear phishing previously required hours of manual research per target. AI tools can scrape LinkedIn profiles, company websites, news mentions, social media, and court records to build detailed target profiles in seconds. Thousands of personalized attack messages can be generated in the time it once took to craft one.
Voice cloning. Three seconds of audio is sufficient to clone a voice convincingly. Public recordings — podcast appearances, YouTube videos, earnings calls, voicemail greetings — provide the source material. Attackers can now conduct vishing attacks using the cloned voice of someone's actual manager, spouse, or colleague.
Real-time deepfake video. Video conferencing attacks using real-time deepfake technology have moved from theoretical to documented. Finance employees have authorized wire transfers after video calls with convincing deepfakes of their CFO and colleagues. The $25 million Hong Kong deepfake case in 2024 established that this attack is operational, not hypothetical.
OSINT automation. Open source intelligence gathering — researching targets using publicly available information — has been automated. AI tools can build comprehensive psychological and organizational profiles of targets that inform highly effective attack approaches.
If someone claiming to be a colleague, executive, or trusted contact makes an unusual request — especially one involving money, credentials, or access — verify through a completely separate channel before acting. Call a number you already have. Do not use contact details provided in the suspicious communication.
How to defend against social engineering
DEFENSE CONTROLS — SOCIAL ENGINEERING
1
Verify through separate channelsAny unusual request — especially involving credentials, financial transactions, or access — should be verified by contacting the requester through a channel you already have and trust. Call the number on file. Send a message on the platform you normally use. Never verify by replying to the suspicious communication itself.
2
Follow process regardless of who is askingSocial engineering frequently relies on the apparent authority of the requester to bypass normal process. A request to skip verification, bypass approval workflows, or handle something "off the record" should trigger more scrutiny, not less — regardless of how senior the requester appears to be.
3
Treat urgency as a red flagLegitimate requests are rarely genuinely urgent in a way that prevents basic verification. Artificial urgency is a manipulation technique. When pressure to act immediately is applied, slow down deliberately. The urgency itself is the signal that something is wrong.
4
Implement callback verification for financial requestsAny request to transfer funds, change bank account details, or authorize payments should require a verbal confirmation via a known phone number — not a number provided in the request. This single control defeats the majority of business email compromise and invoice fraud attacks.
5
Never plug in unknown physical mediaUSB drives, charging cables, and other physical media found in public places or received unexpectedly should not be connected to any device. Modern USB attacks execute instantly on connection before any file is opened. The curiosity that makes baiting effective is predictable — awareness of it is the defense.
6
Limit publicly available informationSocial engineering is powered by OSINT — publicly available information about you, your role, your colleagues, and your organization. Review what your LinkedIn profile reveals. Consider what organizational charts, press releases, and social media posts disclose to someone building an attack profile.
7
Create a culture where verification is normalThe social pressure that makes social engineering effective — not wanting to seem paranoid or unhelpful — is reduced when verification is normalized. Organizations where anyone can ask "can I verify your identity?" without social friction are significantly harder to social engineer than those where such requests are seen as rude.
The limits of awareness training
Security awareness training is valuable. It is not sufficient on its own. The reason is that social engineering is designed to work under conditions of distraction, time pressure, and trust — precisely the conditions that make deliberate thinking difficult. Training that teaches people to recognize social engineering in a calm, low-pressure classroom environment does not reliably transfer to high-pressure real-world situations.
The controls that actually work against social engineering are process-based rather than awareness-based. Mandatory callback verification for financial transactions. Approval workflows that require multiple parties. Technical controls that limit what can be done with stolen credentials. These controls work regardless of whether the targeted individual recognizes the attack.
Awareness training and process controls are complementary, not substitutes. People who understand how social engineering works are more likely to follow verification processes and less likely to feel the social pressure that makes compliance easier than resistance. But awareness alone, without supporting process and technical controls, leaves organizations significantly exposed.
MB
Malwarebytes
When social engineering succeeds and malware is installed, real-time behavioral detection catches what signature-based tools miss. The last line of defense when humans are bypassed.
GET 50% OFF →
READ NEXT
What is phishing and how to spot it
Read the guide →
RELATED
What is ransomware and how to protect against it
Read the guide →