Social Engineering in Cybersecurity: the easiest… and most dangerous attack
Social engineering in cybersecurity: the most dangerous attack
What is social engineering, and why does it work so well?
Social engineering doesn’t start with code. It starts with people.
An attacker sends a convincing email, calls pretending to be IT support, or even uses an AI-generated fake video. And someone, in the middle of their routine, says “yes”. That’s all it takes.
According to the Verizon DBIR 2025, 60% of breaches originate from human factors..
Not due to a lack of technology, but because someone believed a well-told story.
Why this type of attack dominates 2025
Reports from 2024/2025 show exactly the same pattern:
- Phishing and pretexting remain the attackers’ favourite entry points.
- Vishing attacks grew by 442% at the end of 2024.
- Deepfakes are causing millions in losses.
- The FBI reported $2.77 billion lost solely to BEC attacks.
For a cybercriminal, manipulating someone is cheaper, faster and more effective than breaking through a firewall.
How human psychology is exploited
Criminals act as “amateur psychologists” exploiting predictable cognitive biases. Based on multiple studies and real cases, three main triggers can be identified:
- Fear and urgency: messages threatening to cancel accounts or warning of suspicious activity create anxiety and lead to rushed decisions.
- Authority and trust: we tend to obey authority figures. Attackers exploit this by impersonating CEOs, IT teams or government entities.
- Curiosity and greed: tempting offers, prizes or “interesting” files appeal to the desire for reward and encourage impulsive clicks.
Main Social Engineering Techniques
In this section, we explain the main techniques, how they work, examples, and warning signs. Use the subtitles to navigate quickly.
Phishing and Spear Phishing
How it works: Phishing uses emails or text messages to deceive the victim. The attacker impersonates a trusted contact (bank, supplier, colleague) to request data or direct the victim to a fake website. The email often includes realistic logos and an urgent tone (“update your account immediately”) to encourage a quick click.
Spear phishing is even more dangerous: it personalises the message using the victim’s name, job title, or other data gathered online, making it far more credible.
Warning signs: unexpected messages with urgent tone, slightly altered domains, shortened links, login requests outside the usual platform, or unsolicited attachments.
Pretexting (False Pretexts)
How it works: Attackers invent stories and assume identities, IT technician, HR staff, auditor, external partner, to persuade someone to share sensitive information.
According to the Verizon DBIR 2023, this method accounted for more than 50% of social engineering incidents..
Before launching the attack, criminals gather information about the victim and the company (social media, website, articles, organisational charts). They then reach out via email, SMS or phone call, using urgency, authority or scarcity to make the request appear legitimate.
Warning signs: unusual requests (such as reconfiguring systems or unlocking accounts), urgent contact through informal channels, overly detailed questions about procedures or security.
Tailgating and Piggybacking (Physical Access)
How it works:
Spear Tailgating occurs when an unauthorised person enters a restricted area by closely following someone who is authorised. As Fortinet explains, the intruder takes advantage of an employee’s courtesy, asking to “hold the door”, carrying boxes, or pretending to be a courier or a new staff member.
The attacker may also ask to “borrow a charger” or “use a computer for just a minute”, installing malware or copying credentials.
Spear Piggybacking is similar, but involves an explicit request:
“I forgot my access card”, “I’m new here — my badge isn’t active yet”, “Can I come in with you?”
Warning signs: individuals without valid identification trying to enter alongside employees, unknown people asking for assistance to access restricted areas, or requests to use corporate devices or USB ports.
How can you protect yourself?
Continuous training and a security-first culture
Regular security training programmes are essential. Phishing, vishing and quishing simulations help employees recognise techniques and respond calmly.
Training must go beyond theory and include realistic scenarios, so that staff learn how to react to emotions such as urgency, pressure or authority.
Multichannel verification and authorisation processes
Companies should implement formal verification processes, especially for sensitive requests:
- Out-of-band verification: confirm password-reset requests or financial transfers through a second channel (for example, calling the manager or validating the request through the official app).
- Help desk policies: require hierarchical approval for MFA changes or for granting high-privilege access.
- Strengthened multi-factor authentication: use MFA with push notifications and numeric codes, and add an extra verification layer (such as contacting the manager or the security team) for reset requests.
Response and Recovery
Even with good practices in place, attacks can still occur. That’s why an incident response plan is indispensable:
- Rapid isolation: block the compromised account or device as soon as suspicion arises.
- Immediate notification: inform the security department or the external specialised partner to initiate the investigation.
- Restoration and review: reset credentials, assess the impact, and review processes to prevent recurrence.
- Transparent communication: inform affected employees and customers, while also complying with applicable legal obligations (such as those required under the GDPR).
Cybersecurity Commandments Ebook
