anavem.
Back to Glossary
S

Social Engineering

Social engineering is a manipulation technique that exploits human psychology to trick individuals into revealing information, granting access, or performing actions that compromise security.

What is social engineering?

Social engineering is a class of attacks that targets people rather than systems. Instead of exploiting technical vulnerabilities, attackers exploit trust, fear, urgency, authority, or curiosity to influence victims into making security mistakes. It is one of the most effective attack methods because humans are often the weakest link in security chains.

Why social engineering matters

Social engineering is dangerous because it:

  • Bypasses technical security controls
  • Scales easily with low cost
  • Enables initial access to otherwise well-secured systems
  • Is difficult to detect with traditional security tools
  • Frequently leads to credential theft, malware delivery, or data breaches

Many major incidents begin with a single successful social engineering interaction.

Common social engineering techniques

Attackers use a wide range of tactics, including:

1) Phishing

  • Deceptive emails or messages impersonating trusted entities

2) Spear phishing

  • Highly targeted messages tailored to specific individuals or roles

3) Vishing

  • Voice calls impersonating IT support, banks, or executives

4) Smishing

  • Fraudulent SMS or messaging app attacks

5) Pretexting

  • Creating a believable scenario to extract information

6) Baiting

  • Luring victims with fake offers, downloads, or physical devices (e.g., USB drops)

7) Impersonation

  • Pretending to be an employee, vendor, or authority figure

Psychological principles exploited

Social engineering attacks often rely on:

  • Urgency ("Act now or your account will be locked")
  • Authority ("This is IT / management")
  • Trust and familiarity
  • Fear or anxiety
  • Reciprocity ("I helped you - now help me")

Understanding these principles is key to defense.

Social engineering vs phishing

Phishing is a subset of social engineering:

  • Social engineering: the broader manipulation strategy
  • Phishing: a specific delivery method (email, SMS, etc.)

Not all social engineering involves digital communication.

Social engineering in enterprise environments

In organizations, social engineering commonly targets:

  • Help desks and support teams
  • Executives and finance staff
  • New employees
  • Remote and hybrid workers
  • Third-party vendors and contractors

Attackers often chain social engineering with technical exploits.

Defending against social engineering

Effective defenses include:

  • User awareness and realistic training
  • Clear verification procedures (especially for help desks)
  • MFA and phishing-resistant authentication
  • Least-privilege access controls
  • Strong identity monitoring and alerting
  • Encouraging a "verify, don't trust" culture

Technology helps, but process and culture are critical.

Common misconceptions

  • "Smart people don't fall for social engineering"
  • "Training once is enough"
  • "MFA eliminates social engineering risk"
  • "Only emails are used for social engineering"