threat level: human

~ / social engineering

man social-engineering

What Is Social Engineering?

Social engineering is the art of hacking people instead of computers. Rather than break through a firewall, the attacker manipulates a person into handing over information, access, or money. It is the oldest technique in security and still the most effective, because it targets human judgment, not software.

Around 60% of data breaches involve a human element, a click, a reply, or a phone call, according to Verizon's 2025 Data Breach Investigations Report.

Why social engineering works

Good social engineering does not feel like an attack. It feels like a normal request from a believable person. Attackers lean on a handful of predictable human triggers:

  • Authority: a message that appears to come from a boss, the IT team, a bank, or the government.
  • Urgency and fear: a deadline, a threat, or a problem that must be fixed right now, before you have time to think.
  • Trust and familiarity: details that make the message feel personal, your name, your employer, your city, your recent purchase.
  • Reciprocity: a small favor or gift that makes you feel obligated to help back.
  • Social proof: the sense that everyone else has already complied, so you should too.

The familiarity is the whole game. The more a message seems to already know about you, the more you should slow down, not speed up.

Common types of social engineering

  • Phishing: mass fraudulent emails that impersonate a trusted brand to steal credentials or deliver malware.
  • Spear phishing: a targeted version aimed at a specific person, using real details to raise believability.
  • Vishing: voice phishing over a phone call, often impersonating IT support or a bank.
  • Smishing: phishing by text message, frequently fake delivery or bank alerts.
  • Pretexting: inventing a believable scenario (a new vendor, an audit, a locked account) to justify the request.
  • Baiting: dangling something tempting, a free download or a found USB drive, to trigger the click.
  • Business email compromise (BEC): hijacking or spoofing a real business account to redirect a payment.
  • MFA fatigue and adversary-in-the-middle: modern attacks that defeat multi-factor authentication by spamming approval prompts or relaying the login in real time.

The anatomy of a social engineering attack

  1. Reconnaissance: the attacker gathers public details about you. You can see how much your own connection gives away on our Mirror page.
  2. Pretext: they build a believable story that fits those details.
  3. Hook: they make contact with a message engineered to feel personal and safe.
  4. Exploit: you click, reply, approve, or pay, and they get what they came for.
  5. Exit: they cover their tracks and move on, or pivot deeper into the organization.

Social engineering red flags

  • Contact you did not expect, especially if it pressures you to act fast.
  • A request for passwords, one-time codes, or payment, no legitimate organization asks for these by message.
  • A link or attachment you were not anticipating.
  • A sender address or phone number that is close to, but not exactly, the real one.
  • Emotional pressure: fear, excitement, guilt, or a too-good-to-be-true offer.
  • A push to bypass normal process, just this once.

How to protect yourself

  • Slow down. Urgency is the attacker's favorite tool. Give yourself permission to pause.
  • Verify out of band. Confirm a request using a number or address you already trust, not the one in the message.
  • Never share one-time codes. A real support agent will never ask for your MFA code.
  • Limit what you publish. The less an attacker can learn about you, the weaker their pretext.
  • Report it. Flagging a suspicious message protects everyone around you.

See social engineering in the wild

Every threat level: human briefing takes a real attack apart and shows the human factor at its center:

  • ClickFix: victims are tricked into pasting an attacker's command themselves
  • The Ghostwriter Playbook: credential theft paired with fabricated content
  • MFA Under Siege: vishing and adversary-in-the-middle defeat multi-factor authentication
  • Ghost Stadium: a trusted brand's own infrastructure turned against its fans

Frequently asked questions

// social-engineering --help
What is social engineering?

Social engineering is the manipulation of people into giving up information, access, or money. Instead of attacking technology, the attacker exploits human trust and judgment.

What are the most common types of social engineering?

Phishing, spear phishing, vishing (voice), smishing (text), pretexting, baiting, business email compromise, and MFA-bypass attacks are the most common.

What is the difference between phishing and social engineering?

Phishing is one type of social engineering, specifically fraudulent messages. Social engineering is the broader category that also covers phone calls, in-person tricks, and more.

How can I recognize a social engineering attack?

Watch for unexpected contact, pressure to act fast, requests for passwords or one-time codes, and details that feel oddly personal. When a message feels personal and urgent, slow down and verify it through a channel you already trust.

Can technology stop social engineering?

Tools like spam filters and MFA help, but they cannot fully stop it, because the target is human judgment. The durable defense is a habit of verifying before you act.

get the weekly briefing watch the briefings see what your visit reveals ->