What is Social Engineering?
Social engineering is the art of manipulating people — not machines — into breaking security rules they would normally follow.
Hacking the human, not the computer
Social engineering is any attack that targets people instead of technology. Rather than breaking through a firewall or cracking encryption, the attacker simply persuades a human to open the door for them — to reveal a password, approve a payment, install a program, or let a stranger into a secure area. It's con artistry adapted for the digital age.
Why bother with people? Because they're often the easiest path in. You can spend a fortune on technical defenses, but if an employee can be talked into resetting a password or wiring money, none of it matters. Phishing is the most familiar form of social engineering, but the category is much broader — and the most effective attacks blend several techniques into a single convincing story.
The psychology attackers exploit
Social engineers don't hack systems; they hack predictable human responses. Most attacks lean on a handful of psychological levers: authority (a request that seems to come from the boss or IT), urgency (act now or something bad happens), helpfulness (people want to be cooperative, especially at work), fear (a threat of trouble), and familiarity (the attacker name-drops a colleague or real project). Stack two or three of these together and even a careful person can be rushed into a mistake.
A typical operation starts with reconnaissance — gathering names, job titles, vendors, and routines from your website, social media, and past breaches. The attacker then crafts a pretext: a believable story that gives them a reason to be asking. The "IT helpdesk" calling about a password reset, the "new vendor" sending updated bank details, the "delivery driver" needing the door held. The more homework they've done, the more convincing the story — and AI now makes it cheap to generate flawless, personalized scripts and even cloned voices.
How social engineering shows up
Pretexting
Inventing a believable scenario and false identity — a "vendor," an "auditor," "the new IT contractor" — to justify the request being made.
Vishing & smishing
Social engineering by phone call or text. A fake "fraud department" or "Microsoft support" call is a classic vishing tactic.
Baiting
Leaving a tempting lure — a USB drive in the parking lot, a "free" download — that installs malware when used.
Tailgating & impersonation
Physically following an employee through a secure door, or posing as a delivery person or repair tech to get inside.
Business email compromise
Impersonating an executive or vendor to authorize a fraudulent payment — see BEC.
MFA fatigue
Spamming a victim with login approval prompts until, annoyed or confused, they finally tap "approve" and let the attacker in.
Building human defenses
You can't patch a person, but you can build habits and guardrails that make manipulation far less likely to succeed:
- Verify before you act. Any unexpected request involving money, credentials, or access gets confirmed through a known, separate channel — a phone number you already have, not one in the message.
- Write down a callback policy. Make verifying payment and bank-detail changes a mandatory step, so no one has to feel awkward "slowing things down."
- Train regularly and realistically. Short, frequent awareness training beats an annual lecture. Cover phone and in-person tactics, not just email.
- Use phishing-resistant MFA. Passkeys and hardware keys neutralize MFA-fatigue and credential-relay tricks — see MFA.
- Make it safe to say no. Build a culture where questioning an "urgent" request from the boss is rewarded, not punished — that single norm defuses most attacks.
The goal isn't to make your team paranoid — it's to make verification a normal, friction-free habit. Want to know how your people would really respond? Red Hound's penetration testing includes authorized social-engineering assessments that test your defenses without the real-world consequences.
Common questions about social engineering
What is social engineering in simple terms?
Social engineering is when an attacker manipulates a person — through deception, pressure, or persuasion — into doing something that breaks security, like sharing a password, approving a payment, or letting them into a building.
How is social engineering different from phishing?
Phishing is one form of social engineering, delivered by message. Social engineering is the broader category and also includes phone calls (vishing), texts, in-person impersonation, and physical tricks like tailgating into a secured area.
Why does social engineering work so well?
It exploits human instincts — trust in authority, the urge to be helpful, fear, and time pressure — rather than technical flaws. Even security-aware people can be caught off guard by a well-crafted, urgent request.
How can my business defend against social engineering?
Combine regular awareness training with verification habits: confirm sensitive requests through a separate channel, enforce a callback policy for payment changes, require multi-factor authentication, and make it safe for staff to question and report suspicious requests.
Get the free SMB Security Baseline Checklist
A short, plain-English checklist covering the people-and-process controls that blunt social-engineering attacks. Built for small and mid-sized businesses.
Or get plain-English security tips by email: