social engineering

A hacker doesn’t need to crack your encryption. They just need to convince one employee to help them.

Social engineering attacks exploit human psychology instead of technical vulnerabilities. While your security team patches software and monitors networks, attackers study your organization chart, LinkedIn profiles, and even your company’s Glassdoor reviews, looking for ways to manipulate the humans behind your defenses.

These attacks work because they target something no firewall can protect: the natural human tendencies to trust, help, and comply with authority.

Traditional hacking targets systems. Social engineering targets people.

The most sophisticated security infrastructure becomes worthless when an employee willingly provides credentials, disables controls, or transfers funds because a convincing attacker asked them to.

Social engineers don’t use mind control. They leverage well-documented cognitive biases that affect everyone:

People comply with perceived authority figures. An email appearing to come from the CEO requesting an urgent wire transfer works because employees are conditioned to follow executive directives without questioning.

Time pressure short-circuits rational analysis. “Your account will be locked in 30 minutes” or “This deal closes today” creates panic that overrides caution.

When someone does something for us, we feel obligated to return the favor. An attacker who “helps” with a fake IT issue may ask for credentials in return.

We assume actions are correct if others are doing them. “Everyone in your department has already updated their credentials” makes compliance feel normal.

We’re more likely to comply with requests from people we like. Attackers build rapport, find common interests, and mirror communication styles to create artificial trust.

The most common attack vector. Fraudulent emails impersonate trusted entities (banks, vendors, colleagues) to steal credentials or deploy malware.

How it works:

1. Attacker researches target organization
2. Creates convincing email mimicking trusted sender
3. Includes malicious link or attachment
4. Victim clicks, providing credentials or installing malware

Real example: In 2020, Twitter employees received calls from attackers posing as internal IT support. The callers directed employees to a phishing site that captured their credentials, leading to the compromise of high-profile accounts including Barack Obama and Elon Musk.

Targeted phishing focused on specific individuals, using personal information to increase credibility.

Key differences from generic phishing:

• References specific projects, colleagues, or recent activities
• Appears to come from known contacts
• Contains accurate organizational details
• Tailored to victim’s role and responsibilities

Spear phishing targeting executives (“whales”) with access to significant funds or sensitive decisions.

Real example: In 2016, FACC, an Austrian aerospace company, lost €50 million when attackers convinced finance staff that the CEO had authorized emergency wire transfers for a confidential acquisition. Both the CEO and CFO were fired.

Phone-based attacks where callers impersonate IT support, executives, government officials, or other trusted entities.

Common pretexts:

• “IT helpdesk calling about a security issue”
• “This is HR verifying your benefits information”
• “Your bank’s fraud department has detected suspicious activity”

Text message attacks leveraging the immediacy and perceived legitimacy of SMS.

Why it’s effective:

• People trust text messages more than email
• Mobile screens hide suspicious URL details
• SMS feels more personal and urgent
• Links can appear as shortened URLs

Creating a fabricated scenario to establish trust before making the actual request.

Example scenario: An attacker calls reception claiming to be from the IT department. They explain they’re troubleshooting an issue affecting several departments and need to verify some information. After building rapport over several calls about “resolving” the fake issue, they request credentials to “complete the fix.”

Using physical or digital “bait” to deliver malware or capture credentials.

Physical baiting: Leaving infected USB drives in parking lots, lobbies, or conference rooms labeled “Payroll” or “Confidential”

Digital baiting: Offering free software, games, or media that contains malware

Gaining physical access by following authorized personnel through secured doors.

How it works: An attacker carrying boxes approaches a badge-protected door just as an employee exits. Social convention makes it awkward to demand credentials from someone who appears to belong, so the employee holds the door.

Attackers sent phishing emails to small groups of RSA employees with the subject “2011 Recruitment Plan” containing a malicious Excel file. One employee retrieved the email from their junk folder and opened it.

Result: Attackers gained access to RSA’s SecurID authentication system, ultimately affecting defense contractors and government agencies using RSA tokens.

Lesson: Technical controls (spam filtering) worked, but human curiosity defeated them.

Attackers used spear phishing emails targeting Sony executives with messages appearing to come from Apple about ID verification.

Result: Massive data breach exposing unreleased films, employee data, executive emails, and confidential business information. Estimated cost: $100+ million.

Lesson: Even tech-savvy organizations are vulnerable to well-crafted social engineering.

Attackers impersonated executives in emails requesting wire transfers to overseas accounts for a supposed acquisition.

Result: $46.7 million stolen. Some funds recovered, but significant losses remained.

Lesson: Email-based wire transfer requests require out-of-band verification regardless of apparent sender.

Train employees to recognize these red flags:

• Sender address doesn’t match claimed identity
• Unusual urgency or time pressure
• Requests for sensitive information or unusual actions
• Grammar and formatting inconsistent with sender’s normal style
• Links that don’t match expected destinations (hover to check)

• Unsolicited contact requesting sensitive information
• Pressure to act immediately
• Resistance to callback verification
• Requests to bypass normal procedures
• Information requests that seem excessive for stated purpose

• Unfamiliar person requesting access or information
• Claimed authority that can’t be verified
• Emotional manipulation (urgency, flattery, intimidation)
• Requests to circumvent security procedures

Technology can’t stop social engineering, but it can reduce attack surface:

Email security:

• Advanced threat detection for phishing
• DMARC, DKIM, SPF for sender verification
• Warning banners for external emails
• Link rewriting and sandboxing

Access controls:

• Multi-factor authentication everywhere
• Principle of least privilege
• Separate credentials for sensitive systems
• Physical access controls and visitor management

Policies that create friction for attackers:

Verification requirements:

• Out-of-band confirmation for wire transfers
• Callback procedures for sensitive requests
• Identity verification for help desk calls
• Visitor check-in and escort policies

Escalation paths:

• Clear procedures for reporting suspicious contacts
• No-retaliation policy for false positives
• Security team contact information readily available

The most critical defense layer:

Effective training includes:

• Recognition of attack techniques
• Psychological awareness (understanding why we’re vulnerable)
• Practical exercises (simulated phishing)
• Clear reporting procedures
• Regular reinforcement (not annual checkbox training)

Measure effectiveness through:

• Phishing simulation click rates
• Suspicious activity reporting rates
• Time to report potential incidents
• Post-incident analysis of successful attacks

Policies and training matter, but culture determines outcomes.

Executives must visibly follow security procedures. When the CEO ignores policies, employees conclude security isn’t actually important.

Celebrate employees who report suspicious activity, even false positives. The employee who reports 10 suspicious emails (including 9 that were legitimate) is protecting the organization. The employee who never reports anything is probably missing real threats.

Employees who fall for attacks should receive support and additional training, not punishment. Fear of blame drives concealment, which extends attacker access and increases damage.

Security awareness isn’t a training event. It’s an ongoing conversation. Regular updates about current threats, recent incidents (anonymized), and emerging techniques keep security top-of-mind.

When attacks succeed (and eventually they will):

1. Contain: Isolate affected systems and accounts
2. Preserve: Don’t delete evidence (logs, emails, files)
3. Report: Notify security team immediately
4. Document: Record timeline and actions taken

• Determine attack scope and affected systems
• Identify how attacker gained initial access
• Assess what information was accessed or stolen
• Document for potential legal proceedings

• Reset affected credentials
• Remediate compromised systems
• Address procedural gaps that enabled attack
• Update training based on lessons learned
• Consider notification obligations (legal, regulatory)

Social engineering attacks succeed because they target human nature, not technology. The same traits that make us good colleagues, like trust, helpfulness, and respect for authority, become vulnerabilities when exploited by skilled attackers.

Defense requires layered approaches: technical controls to reduce attack surface, procedures to verify sensitive requests, training to build recognition skills, and culture to encourage vigilance without creating paranoia.

Your employees will always be your greatest vulnerability. With proper training and culture, they can also become your strongest defense.

Want to experience social engineering attack simulations firsthand? Try our free interactive security exercises and practice identifying threats in realistic scenarios.

Your phone buzzes. A text from your “bank” says suspicious activity was detected on your account. Click here to verify. The link looks legitimate. The message is urgent.

You’re already reaching for the link before you’ve finished reading.

That reaction is exactly why smishing works. SMS phishing succeeds where email fails because we’ve spent years training ourselves to distrust our inboxes. Nobody taught us to be suspicious of texts.

I’ve watched security-conscious people who would never click an email link tap a suspicious SMS without hesitation. The psychology is different:

Texts feel personal. Email comes from companies. Texts come from people you know. When a text arrives, your brain defaults to trust.

There’s no time to think. Email sits in your inbox until you’re ready. A text notification demands immediate attention. You’re responding on instinct, not analysis.

You can’t see where links go. On a phone screen, URLs get truncated. That suspicious domain? Hidden behind ”…” in a tiny font.

Your phone has no defenses. Your email has spam filters, phishing detection, attachment scanning. Your SMS app? Nothing.

“Chase Alert: Unusual activity detected on your account. Verify immediately: chase-verify-security.com”

These messages exploit:

• Trust in bank security alerts
• Fear of financial loss
• Urgency of fraud prevention

“USPS: Your package cannot be delivered. Update delivery preferences: usps-redelivery.net”

Effective because:

• Everyone receives packages
• Delivery issues feel plausible
• Small “redelivery fees” seem reasonable

“Google: Someone is trying to sign into your account. Reply YES if this was you, or click here to secure your account.”

This attack intercepts legitimate login attempts by tricking users into revealing authentication codes.

“Apple Support: Your iCloud is full and backups are failing. Upgrade now to prevent data loss: icloud-upgrade-storage.com”

Targets users’ fear of losing photos and data.

“IRS: You have an outstanding tax obligation. Avoid legal action by paying immediately: irs-payment-portal.com”

Uses authority and fear of government penalties.

Unexpected contact: Legitimate organizations rarely initiate sensitive communications via SMS.

Urgency language: “Immediately,” “urgent,” “within 24 hours” pressure quick action over careful evaluation.

Generic greetings: Your bank knows your name. “Dear Customer” suggests fraud.

Shortened or suspicious URLs: Bit.ly links or domains that don’t match the claimed sender.

Requests for sensitive info: Legitimate organizations don’t ask for passwords, PINs, or full account numbers via text.

Poor grammar or formatting: Professional organizations have professional communications.

Attackers rarely use just one channel. A smishing text might tell you to call a number (leading to vishing). A vishing call might reference a “confirmation text” they’re about to send. The channels reinforce each other.

The difference between them comes down to what makes each channel vulnerable:

• Email phishing gives attackers more space to craft convincing messages, but we’ve learned to be suspicious
• Smishing exploits the trust and urgency built into text messaging
• Vishing adds real-time social pressure that’s almost impossible to resist

If you get suspicious communication on one channel, expect attempts on others.

Never click links in unexpected texts. Navigate directly to services by typing URLs or using apps.

Verify independently. If a text claims to be from your bank, call the number on your card, not any number in the message.

Enable spam filtering. Both iOS and Android offer SMS spam detection. Enable it.

Report smishing. Forward suspicious texts to 7726 (SPAM) to report to carriers.

Don’t respond. Responding (even to say “stop”) confirms your number is active.

Mobile device management (MDM): Implement security policies on company devices including SMS threat detection.

Employee training: Include smishing scenarios in security awareness programs. Mobile threats are undertrained relative to email.

Clear policies: Establish that your organization will never request credentials or sensitive data via SMS.

Reporting mechanisms: Make it easy for employees to report suspicious texts to security teams.

Simulation testing: Include SMS-based simulations in phishing awareness programs where possible.

1. Delete the message
2. Block the sender
3. Report to 7726 (SPAM)

1. Close the page immediately
2. Clear browser data
3. Monitor for unusual activity

1. Change password immediately on the real site
2. Enable 2FA if not already active
3. Contact the real organization’s fraud department
4. Monitor accounts for unauthorized activity
5. Consider identity theft protection if personal information was shared

Smishing attacks increased 700% during 2021-2022 as attackers recognized the opportunity. Contributing factors:

• Mobile-first communication: People increasingly handle sensitive transactions on phones
• Trust gap: Security training focuses on email while mobile threats are undertrained
• Technical limitations: SMS lacks the authentication and filtering infrastructure email has developed
• Pandemic acceleration: Increased reliance on delivery services and mobile banking created new attack surfaces

A 2023 smishing campaign impersonated USPS, UPS, and FedEx simultaneously:

Attack pattern:

1. Text claiming delivery issue
2. Link to credential harvesting page mimicking carrier site
3. Request for “small redelivery fee” ($1.99)
4. Payment form capturing full credit card details

Scale: Millions of texts sent during holiday shipping season

Effectiveness: Higher success rate than equivalent email phishing due to timing (everyone expected packages) and mobile trust dynamics

Lesson: Seasonal context dramatically increases smishing effectiveness. Training should address current attack patterns.

We’ve spent two decades building email security. Spam filters, phishing detection, user training. And it worked. Click rates on phishing emails have dropped.

So attackers moved to SMS, where none of those defenses exist.

The same skepticism you’ve learned to apply to email needs to extend to every channel. That “bank alert” text? Call your bank using the number on your card. That “delivery notification”? Check the tracking on the carrier’s actual website.

It feels paranoid. It’s not. It’s just how we have to operate now.

Build the instincts that catch smishing before you click. Try our interactive security exercises with realistic SMS attack scenarios.

The phone rings. IT support says there’s a security incident on your account. They need your password to reset it and protect your data. The caller sounds professional, maybe a little stressed. Your caller ID shows your company’s actual number.

You give them your password.

I’ve seen this happen to smart, security-aware people. They knew better. In the moment, it didn’t matter. That’s what makes vishing so effective.

Vishing works differently than email phishing. With email, you have time to think, to hover over links, to forward suspicious messages to IT. A phone call strips all of that away.

You can’t pause a conversation. The social pressure to respond immediately is overwhelming. Silence feels awkward. Asking to call back feels rude.

Hanging up feels wrong. We’re conditioned to be polite. Ending a call abruptly triggers social anxiety, even when we’re suspicious.

Voice creates trust. A confident, professional tone establishes credibility in ways text never can. We’re wired to trust voices.

Caller ID lies. That number showing your bank’s real phone number? Spoofed in about 30 seconds with free software. The technology to fake caller ID is trivially available.

“Hi, this is Mike from IT support. We’re seeing some suspicious activity on your account. I need to verify your identity and reset your credentials.”

Attackers use:

• Internal jargon and procedures they’ve researched
• Urgency around “security incidents”
• Request for credentials to “help” you

“This is Chase Bank calling about suspicious activity on your account. To verify your identity, please provide your account number and the last four digits of your Social Security number.”

Attackers create fear of financial loss to override caution.

“This is the IRS. You have unpaid taxes and a warrant will be issued for your arrest unless you pay immediately.”

Uses fear of government authority and legal consequences.

“This is Microsoft Support. We’ve detected a virus on your computer. Let me walk you through the steps to remove it.”

Leads to remote access installation and credential theft.

“Hi, this is Sarah from the CEO’s office. He needs a wire transfer processed urgently for an acquisition. Can you handle this quietly?”

Combines authority pressure with confidentiality to prevent verification.

Unsolicited contact: You didn’t initiate the call, but they claim to have information about you.

Urgency: “Immediate” action required or consequences will follow.

Request for sensitive info: Passwords, account numbers, Social Security numbers, verification codes.

Caller ID mismatch: Even if it shows a legitimate number, caller ID is easily spoofed.

Resistance to verification: Pushback when you suggest calling back through official channels.

Information they shouldn’t have: Partial account details used to establish false credibility.

Vishing exploits several psychological principles:

When someone claims to represent authority (IT, bank, government), we’re conditioned to comply. Attackers leverage this by impersonating authority figures or organizations.

The caller appears to be helping you by alerting you to a problem. This creates pressure to reciprocate by complying with their requests.

Threats about account compromise, legal action, or financial loss activate fear responses that bypass rational evaluation.

“This needs to happen now” prevents careful consideration and verification.

Small initial requests (confirming your name) lead to larger ones (providing your password). Once you’ve started cooperating, stopping feels inconsistent.

Verify independently: Never trust caller-provided callback numbers. Look up official contact information separately.

Take your time: Legitimate organizations don’t require instant decisions. “I’ll call you back” is always appropriate.

Never share credentials: No legitimate organization asks for passwords over the phone. Ever.

Be suspicious of spoofed numbers: Caller ID is not authentication.

When in doubt, hang up: Ending a suspicious call is always the right choice.

Clear policies: Document what information can and cannot be shared over the phone.

Callback procedures: Require verification through known numbers, not numbers provided by callers.

Reporting mechanisms: Make it easy to report suspicious calls to security teams.

Employee training: Include vishing scenarios in security awareness programs.

Caller verification processes: Establish methods for verifying internal callers (callback, known extensions, code words).

Recorded examples: Let employees hear what vishing calls actually sound like.

Practice scenarios: Simulated vishing calls that test response without real consequences.

Verification drills: Practice looking up and using official callback procedures.

Psychological awareness: Understanding why these attacks work helps resist them.

• Normalize questioning callers
• Celebrate employees who verify before acting
• Remove stigma from hanging up on suspicious calls
• Ensure managers model verification behavior

1. Document the call (time, claims made, requested info)
2. Report to IT security
3. Share with colleagues who may receive similar calls

1. Change passwords immediately
2. Enable 2FA if not already active
3. Report to IT security
4. Monitor affected accounts for unauthorized activity

1. Contact your bank immediately
2. Place fraud alerts on credit reports
3. Document everything for potential law enforcement
4. Monitor all accounts for unauthorized transactions

• Analyze attack patterns for organizational targeting
• Identify information attackers had (may indicate prior compromise)
• Determine attack vector (targeted or broad campaign)

• Alert employees about current vishing campaigns
• Provide specific details about attack pretexts
• Reinforce verification procedures

• Update security awareness training with new patterns
• Consider simulated vishing exercises
• Review and strengthen verification procedures

Attackers called Twitter employees claiming to be IT support. Using information gathered from previous research, they convinced employees to provide VPN credentials.

Result: Compromise of high-profile accounts including Barack Obama, Joe Biden, Elon Musk, and Apple, which were used to promote a cryptocurrency scam.

What failed: Employees provided credentials over the phone despite this being against policy.

What would have helped: Established callback verification procedures, stronger culture of challenging callers, training on this specific scenario.

Advances in AI voice synthesis make vishing increasingly dangerous:

• Voice cloning: AI can replicate specific voices from samples
• Real-time adaptation: Systems can respond naturally to questions
• Accent and language: AI eliminates language barriers for global attacks

This means traditional detection methods (accent, awkward phrasing) become less reliable. Verification procedures become even more critical.

Here’s the thing about vishing defense: you can’t rely on detecting the attack. Good vishers sound completely legitimate. The tells you’d look for in email don’t exist in a well-executed phone call.

So stop trying to detect. Instead, verify everything.

“Let me call you back through our main number.” Say it every time someone asks for sensitive information over the phone. IT support, your bank, your CEO’s assistant. Everyone.

Yes, it feels awkward. Yes, legitimate callers might be annoyed. But that momentary awkwardness is nothing compared to explaining how you gave your password to an attacker who sounded exactly like your IT department.

The Twitter hack in 2020? Started with vishing calls to employees. The attackers were good enough to fool people who should have known better. The employees who stopped it weren’t the ones who detected something wrong. They were the ones who verified anyway.

Train your team to verify before they share. Try our interactive security exercises with realistic vishing scenarios.