What is social engineering in cybersecurity?

Social engineering is the manipulation of people into performing actions or revealing confidential information. Attackers use pretexting, authority impersonation, urgency, and rapport-building to bypass technical security controls entirely. According to the Verizon Data Breach Investigations Report, 68% of breaches involve a human element. It remains the most reliable attack vector because it targets psychology rather than technology.

What are common social engineering tactics used against employees?

The most common tactics include pretexting (creating a fake scenario to justify a request), authority impersonation (posing as IT, a manager, or law enforcement), urgency (pressuring quick action before the target can verify), and reciprocity (offering something first to create a sense of obligation). Attackers often research targets on LinkedIn and social media to make their approach more convincing.

Social Engineering

Recognize manipulation before you comply.

What Is Social Engineering?

Social engineering bypasses every technical security control by targeting the human layer directly. According to Verizon's Data Breach Investigations Report, the human element is involved in 68% of breaches, making manipulation-based attacks the most persistent threat organizations face. In this simulation, you receive a phone call from someone who sounds credible, professional, and prepared with details about your company. The caller uses pretexting to establish a believable scenario. They may claim to be from IT support performing an emergency audit, a vendor needing to verify account details, or a new executive assistant confirming sensitive information on behalf of leadership. They already know your department, your manager's name, and recent projects, all harvested from public sources like LinkedIn and company press releases. You will practice holding your ground when the caller escalates pressure using authority, reciprocity, and artificial urgency. The simulation teaches you how to redirect verification through official channels without creating an adversarial interaction. This is critical because real social engineers count on employees being too polite to push back. You will also learn to recognize when a conversation shifts from normal business communication into information extraction, a transition that happens gradually and is easy to miss if you are not trained to spot it. The exercise covers callback verification, out-of-band authentication, and the specific phrases social engineers use to discourage you from checking their story.

What You'll Learn in Social Engineering

Identify pretexting, authority impersonation, and urgency manipulation during live phone and in-person interactions
Apply callback verification and out-of-band authentication to confirm caller identity through official company directories
Recognize the transition point where a normal business conversation shifts into covert information extraction
Decline information requests firmly and professionally without damaging legitimate business relationships
Explain how attackers use publicly available OSINT data from LinkedIn, press releases, and social media to build convincing pretexts

Social Engineering — Training Steps

Introduction

It's a typical Tuesday afternoon, and Alice is working on a critical project deadline.
The Unexpected Call

Alice's mobile phone rings unexpectedly. The caller ID shows 'IT Support - Internal'. Since Alice recognizes this as potentially being from her company's IT department, she decides to answer the call.
The Convincing Introduction

Alice feels concerned about the potential security issue and wants to help resolve it quickly.
The Information Gathering

Alice, feeling pressured by the urgency and trusting that this is legitimate IT support, begins to consider providing the requested information.
Escalating the Request

Alice feels she has no choice but to comply since her account might be compromised.
The Malicious Website

Alice notices the website looks similar to her company's login page, though something feels off about the URL.
The Access Attempt

Bob has successfully captured Alice's credentials and is now attempting to get her to download malware disguised as a security tool.
Checking the Email

After the call, Alice opens her email client to check for the promised message. Among her inbox, she notices an email from 'IT Support' with the subject line 'Urgent: Security diagnostic tool.'
The Realization

As Alice hangs up the phone, memories from the company's recent cybersecurity training flood back. She remembers the instructor specifically warning about attackers who impersonate IT support, create false urgency, and try to get employees to download malicious software.
Immediate Security Response

Alice immediately takes action to minimize potential damage from the attack. She knows that she has already provided her credentials to the malicious website, which means her account could be compromised. Looking back at the browser, she notices the URL was using HTTP instead of HTTPS - a clear red flag she missed under pressure. She also makes a mental note of all the information she provided during the call: her employee ID, last four digits of her SSN, and her login credentials.

What Is Social Engineering?

What You'll Learn in Social Engineering

Social Engineering — Training Steps

Introduction

The Unexpected Call

The Convincing Introduction

The Information Gathering

Escalating the Request

The Malicious Website

The Access Attempt

Checking the Email

The Realization

Immediate Security Response