What is Social Engineering? The Art of Human Hacking
The biggest security vulnerability isn’t in your computer; it’s in your mind. Learn how attackers use psychology to bypass security and what you can do to stop them.
What is Social Engineering?
Social Engineering is the art of manipulating people into performing actions or divulging confidential information. Unlike hacking that relies on technical exploits, social engineering targets human psychology—our natural tendencies to trust, to help, or to react to urgency.
In short, it’s “human hacking.” The attacker’s goal is to trick you into willingly giving them the keys, rather than trying to break down the door. This is why it’s often the first step in a larger cyberattack.
The Most Common Social Engineering Attacks
Attackers use a variety of techniques, but most fall into a few common categories. Recognizing them is the first step to defending yourself.
Phishing: The Classic Lure
As we’ve seen, phishing is the most common form. An attacker sends a fraudulent email, SMS (smishing), or voice message (vishing) pretending to be a legitimate entity to trick the victim into sharing sensitive data or clicking a malicious link.
Phishing almost always involves a sense of urgency or fear. “Your account will be locked,” “Suspicious activity detected,” or “Claim your prize now!” are all red flags.
Pretexting: Creating a Believable Story
In pretexting, the attacker invents a scenario, or “pretext,” to gain the victim’s trust. They might impersonate a coworker from the IT department, a bank employee, or a government official to justify their request for information.
An attacker calls an employee claiming to be from “IT support” and says, “We’re running a system update and need you to confirm your password so we can migrate your account.” They create a believable context to make an illegitimate request seem normal.
Baiting: The Digital Trojan Horse
Baiting relies on human curiosity. The attacker leaves a malware-infected device, like a USB stick, in a public place with a tempting label like “2026 Salaries” or “Confidential.” An employee finds it, plugs it into their work computer out of curiosity, and unknowingly installs malware.
Online, this can take the form of a “free movie download” or “exclusive software” that is actually a virus.
Quid Pro Quo: Something for Something
This is a simple exchange. The attacker offers a “service” or a “benefit” in exchange for information. A common example is an attacker calling random numbers in a company, claiming to be from tech support. Eventually, they’ll find someone with a real IT problem and offer to “help” them—in exchange for their login credentials.
How to Defend Yourself: The Human Firewall
Since these attacks target people, the best defense is a human one. It’s about building a mindset of healthy skepticism.
- Slow Down. Social engineering relies on impulsive reactions. If a message feels urgent, take a deep breath and pause. A few seconds of critical thinking can prevent a disaster.
- Verify Independently. If your “bank” emails you about a problem, don’t click the link. Close the email, open your browser, and go to your bank’s official website yourself to check. If it’s a phone call, hang up and call the official number on the back of your card.
- Be Suspicious of Unsolicited Help. If someone you don’t know offers to help you with a problem you didn’t report, be extremely wary. Legitimate support rarely works this way.
- Question the Request. Is it normal for your boss to ask you to buy gift cards via SMS? Would IT really need your password to do their job? If a request seems odd, it probably is.
Trust, but verify. It’s okay to be helpful, but it’s essential to confirm the identity and legitimacy of a request before sharing any information or taking any action.
Ready to spot the signs?
Learn to identify real-world attacks with our practical cybersecurity courses.
Further Reading
Social engineering is often the first step. Learn about the other tools and threats in an attacker’s arsenal.