The most sophisticated security technology can't stop an employee from willingly giving away credentials. Social engineering exploits human psychology, not software vulnerabilities—and it's responsible for the majority of successful cyber attacks.
What is Social Engineering?
Social engineering is the art of manipulating people into divulging confidential information or taking actions that compromise security. Instead of hacking into systems, attackers hack into minds. They exploit trust, fear, curiosity, and helpfulness—all normal human traits.
Common Social Engineering Tactics
Pretexting
The attacker creates a fabricated scenario to engage the victim. "Hi, this is Mike from IT. We're seeing some unusual activity on your account and need to verify your password." The pretext gives them a reason to ask for sensitive information.
Phishing
Mass emails that appear to come from legitimate sources, designed to trick recipients into clicking malicious links or providing credentials. Spear phishing targets specific individuals with personalized messages.
Baiting
Leaving infected USB drives in parking lots, lobbies, or break rooms. Curious employees plug them in to see what's on them—and malware is automatically installed. We've seen this work at Bergen County businesses.
Quid Pro Quo
"I'm doing a survey about your company's software. Complete it and you'll be entered to win a $500 Amazon gift card." The survey asks security questions that help attackers guess passwords or security answers.
Tailgating
Following an authorized person through a secure door. "Hey, can you hold that? My hands are full." Physical security is part of information security.
Vishing
Voice phishing—phone calls from attackers pretending to be tech support, the IRS, or other authorities. Caller ID can be spoofed to show any number they want.
Real-World Examples
CEO Fraud (Business Email Compromise)
An accounts payable employee receives an urgent email that appears to be from the CEO: "I need you to wire $50,000 to this account immediately for a confidential acquisition. Don't tell anyone—I'll explain later." The email address looks right at first glance. The writing style matches. The money is gone in minutes and will never be recovered.
This attack cost businesses $2.7 billion in 2022 alone.
Vendor Impersonation
An attacker compromises a vendor's email and sends an invoice with "updated payment information." Your accounting team pays the invoice, but the money goes to the attacker's account instead of your actual vendor.
Tech Support Scam
A pop-up appears on an employee's screen: "Your computer is infected! Call Microsoft Support immediately at 1-800-XXX-XXXX." The employee calls, gives remote access to the "technician," and now attackers have full access to the computer and network.
Why Social Engineering Works
These attacks exploit fundamental human tendencies:
- Authority — We tend to comply with requests from authority figures
- Urgency — Time pressure makes us skip verification steps
- Fear — Threats of consequences override rational thinking
- Helpfulness — We want to be helpful, even to strangers
- Trust — We assume people are who they claim to be
How to Protect Your Business
Security Awareness Training
Regular training reduces successful social engineering attacks by up to 75%. Employees need to understand the tactics attackers use and practice identifying them.
Verification Procedures
Establish procedures that require out-of-band verification for sensitive requests. If the CEO emails asking for a wire transfer, call them on their known phone number to confirm. Never verify through the same channel as the request.
Simulated Attacks
Test your employees with simulated phishing emails and social engineering calls. You'll learn who's vulnerable and can provide targeted training.
Clear Policies
Create and enforce policies about what information can be shared, how to verify identities, and how to handle suspicious requests. Make it okay for employees to say "I need to verify this before proceeding."
What to Do When Targeted
- Stay calm—attackers rely on triggering emotional responses
- Never provide sensitive information based on an unsolicited contact
- Verify the request through a different channel
- Report the attempt to your IT department or security team
- If you think you've been compromised, report immediately