Social engineering is a manipulation technique where attackers use psychological tactics to trick people into revealing confidential information or performing unsafe actions. Unlike technical attacks, social engineering does not target systems but rather the weakness of human behaviour. Attackers exploit trust, authority, urgency or emotional manipulation to influence their victims.
Attacker gathers information about the target: social media, LinkedIn, company website, public directories.
A convincing cover is created: IT support, manager, delivery person or authority – based on context.
Attacker makes contact – via email, phone or in person – and plays the prepared role convincingly.
Personal details from the research make the attacker seem credible and trustworthy to the victim.
"Your account will be locked in 10 minutes!" – time pressure shuts down critical thinking and forces quick action.
Victim hands over password, access or money – without realising they were manipulated.
Example 1 – Pretexting: An attacker calls you and
poses as your IT support. They claim there is a security problem with
your account and ask you to share your password in order to
"verify the system".
Example 2 – Baiting: A USB stick or external hard
drive labelled "Salary lists" is left in public places. A victim finds
the stick and plugs it into their computer, installing malware on the
system.
Example 3 – Tailgating / Piggybacking: An attacker
follows an employee through a company security door by pretending to
be one or carrying a delivery, thereby gaining access to restricted
areas.
Social engineering can lead to serious consequences: theft of credentials and confidential information, installation of malware or ransomware on company devices, unauthorised access to sensitive data and systems, financial losses from fraudulent transactions, damage to the company's reputation and loss of customer trust.
1. Be sceptical of unexpected contacts: Always
question calls or emails asking for personal information or access
credentials – even if the sender seems legitimate.
2. Verify identity: For suspicious calls, hang up and
call the number back directly (look it up in official directories) to
confirm identity.
3. Never share passwords or PINs: No legitimate
company will ever ask you for your password or PIN. These are strictly
confidential.
4. Stay informed: Keep up to date with new social
engineering tactics and trends. Many organisations offer security
training.
5. Protect your information: Don't carelessly share
personal information on social media. Limiting privacy settings can
help protect your data.
Choose the correct response in each scenario – test your awareness against social engineering.