What is Social Engineering?

What is social engineering? The attack method that exploits people as the weakest link

Social engineering is the most effective attack technique in modern cybercrime. Not because attackers have suddenly become smarter, but because technical security has become so strong that attackers systematically choose the human side. MFA, a firewall, a patched system: all worthless if an employee hands over their own access to someone pretending to be the IT helpdesk.

This article explains what social engineering actually is, the main variants, why it works so well, and what companies can concretely do to make their people resilient.

TL;DR

Social engineering is an attack method where an attacker manipulates people to gain access, information or actions that are normally protected. Phishing, vishing, smishing, CEO fraud and mystery guest attacks are all forms of social engineering. It works because it exploits normal human reflexes such as helpfulness, obedience to authority and time pressure. Defence combines technical controls, realistic social engineering assessments and a reporting culture without shame.

What social engineering actually is

Social engineering does not target systems, it targets people. The attacker uses psychology, research and context to get a target to do something they would not normally do: open an attachment, share a password, approve a payment, let someone into a secure area.

The attacker invests time in gathering information about the target. LinkedIn profiles, company websites, social media, press releases and public documents provide enough context to build a credible scenario. An attack that matches the target role, ongoing project or recent events has a much higher chance of success than a generic attempt.

From the victim perspective, the attack does not feel like an attack. It feels like a logical request within the work context, with a known sender and a plausible reason to act quickly.

The main forms of social engineering

The term social engineering covers a whole family of attacks. Below the most common variants in a corporate context.

Phishing

The classic. An email that poses as a legitimate sender: the bank, a supplier, an internal service. The goal is usually to steal credentials via a cloned login page, spread malware via an attachment, or trigger a payment. More details in our article what is phishing.

Spear phishing

A targeted phishing variant. The attacker has researched the specific recipient and tailors the message accordingly. Spear phishing has a much higher success rate than mass phishing.

Whaling and CEO fraud

The attacker targets executives or employees with signing authority. Often combined with Business Email Compromise, where the attacker poses as the CEO or a board member to trigger an urgent payment.

Vishing

Phishing via phone. Someone calls posing as IT helpdesk, accountant, bank or government. Voice contact lowers the trust threshold faster than written communication. Vishing testing is an effective way to prepare organisations for this threat.

Smishing

Phishing via SMS or WhatsApp. Short, urgent messages with a link. Smishing is gaining importance because mobile filtering is weaker and people read their phones with less scrutiny. See also what is smishing.

Pretexting

The attacker builds a fabricated scenario to extract information. For example: someone calls an employee with the story that they are a new accountant who urgently needs data for an audit. Pretexting often occurs in combination with vishing.

Baiting

The attacker offers something attractive: a USB stick left in the parking lot labelled salaries 2026, a free download, a won prize. Whoever takes the bait installs malware or gives access. USB drop tests are part of broader social engineering testing.

Tailgating and mystery guest

Physical social engineering. The attacker follows someone through a secure door, or poses as a supplier, courier or external auditor to gain access to an office. Mystery guest testing simulates these attacks to validate physical controls and human behaviour.

Why social engineering works so well

Social engineering rarely succeeds because employees are careless. It succeeds because attackers exploit normal human behaviour that is actually positive.

Authority: people follow instructions from someone who radiates authority. An email that appears to come from the CEO or IT department gets fewer critical questions.

Helpfulness: employees in service or customer-facing roles want to solve problems quickly. A request that presents itself as urgent is executed faster.

Time pressure: a deadline or a within 24 hours puts short-term thinking under pressure. People fall back on reflex instead of analysis.

Familiarity: a logo, a known sender domain, a recent project mentioned. Anything recognisable builds trust quickly.

Fear: a threat of sanctions, loss of access or fines makes people act faster than they verify.

The Verizon Data Breach Investigations Report confirms that the human element remains a factor in the vast majority of data breaches. That does not mean people are the problem. It means attackers target people because other attack paths have become too expensive or too risky.

How companies can defend themselves

Effective defence against social engineering is layered. No single measure works alone.

Technical basics in place

• Multi-factor authentication on all accounts, preferably phishing-resistant like FIDO2 or passkeys.
• SPF, DKIM and DMARC for email authentication.
• External-sender banners.
• URL rewriting and time-of-click scanning.
• Security keys for critical access.

Realistic exercise

Generic awareness training without practical exercise rarely delivers behaviour change. What does work: targeted social engineering assessments that confront employees with scenarios from their own work context, with direct feedback after a test. That can be phishing simulation, vishing testing, mystery guest visits or a combination. The Swishing phishing game is a low-threshold way to exercise large groups in a short time.

Reporting culture without shame

Employees must be able to report a suspicious message without fear of disapproval, even if they already clicked. In companies with a low reporting threshold, an attack is often isolated within minutes. In companies where reporting feels like failure, an attack stays unnoticed.

Processes for high-risk actions

• Every payment instruction that comes in via email must be confirmed through a second channel.
• Changes to bank details require phone confirmation on a known number.
• External access requests are only granted via the official procedure, not via an ad-hoc request from someone posing as IT.

Regular repetition

Security awareness is not a project, but a continuous process. Training only works if it is repeated in small doses. Short monthly exercises have more effect than an annual one-hour session.

How to recognise a social engineering attack

A few questions employees can ask before acting:

1. Do I expect this email, SMS or call at this moment?
2. Does the request really come from the person or institution that is claimed?
3. Is pressure being applied to act quickly without a clear reason?
4. Is there a request for something outside my normal workflow: money, credentials, access?
5. Does this request match how this person or organisation normally communicates?

When in doubt: do not act, do not click, do not reply. Verify through a second channel like a known phone number or a direct conversation with the colleague. And always report, even if you think you did something wrong. The speed of reporting determines the damage.

Social engineering and NIS2

Under NIS2 Article 21, essential and important entities must apply cybersecurity risk management, including measures against social engineering. That covers training, technical controls and incident response. Companies under NIS2 must be able to demonstrate that they have prepared their people for social engineering attacks, not just that they have purchased an awareness module. The burden of proof lies with behaviour change and measurable results, not with compliance checkboxes.

Frequently asked questions about social engineering

What is social engineering exactly?

Social engineering is an attack method where an attacker manipulates people to gain access, information or actions that are normally protected. It targets human behaviour instead of technical systems. Typical examples include phishing, vishing, smishing, CEO fraud and mystery guest attacks where an attacker physically poses as a legitimate visitor.

What is the difference between social engineering and phishing?

Phishing is a form of social engineering. Social engineering is the broader category that covers all techniques where human behaviour is manipulated. Phishing is specifically the email variant. Other forms include vishing (phone), smishing (SMS), pretexting (invented context), baiting (free USB), tailgating (following through a door) and mystery guest attacks.

What types of social engineering exist?

The most common forms are phishing (email), spear phishing (targeted mail), whaling (CEO fraud), vishing (phone), smishing (SMS and WhatsApp), pretexting (invented role or scenario), baiting (infection via USB or download), tailgating (physically following in), mystery guest (walking in as a visitor) and quid pro quo attacks where the attacker appears to give something in exchange for information.

Why does social engineering work so well?

Social engineering works because it exploits normal human reflexes such as helpfulness, obedience to authority, fear of failure and time pressure. People make decisions under pressure with limited information. A well-executed social engineering attack feels logical within the context, so the recipient sees no red flag. Technical security has become stronger, so attackers shift to the human layer.

How do you recognise a social engineering attack?

Typical signals are time pressure without a clear reason, a request that falls outside your normal workflow, asks for credentials or money transfers, and unexpected contact from someone posing as authority. When in doubt: verify via a second channel such as a known phone number, never via contact details from the suspicious message itself. Reporting is always better than staying silent.

How do you protect a company against social engineering?

Effective defence combines three layers: technical controls such as MFA, DMARC and external-sender banners, realistic social engineering assessments that exercise employees in their own work context, and a reporting culture where doubt can be raised without shame. One-off awareness training without practice has little effect. Repeated exercise plus direct feedback drives behaviour change.

What does NIS2 say about social engineering?

NIS2 Article 21 requires essential and important entities to apply cybersecurity risk management, including measures against social engineering. This covers training, technical security and incident response. It is not a standalone obligation but part of broader risk management. Companies under NIS2 must be able to demonstrate that they have prepared their people for social engineering attacks.

Related services and resources

Strengthen your defence against social engineering with Sectricity's social engineering assessments, phishing simulation and testing, vishing testing, smishing testing and mystery guest testing. Let employees train with the Swishing phishing game or the Security Awareness Escape Truck. Start with a free security scan to map your risk.