Social engineering is the art of manipulating people into taking actions or divulging information. It's the dominant attack vector in cybercrime precisely because it bypasses all technical security measures. You can have the best firewall in the world and still be compromised by a well-crafted phone call.
Why Social Engineering Works
Humans are wired with cognitive shortcuts that criminals exploit. Authority β we're conditioned to comply with requests from authority figures (police, government, managers, IT department). Urgency β threatened consequences make us act before we think. Reciprocity β we feel obligated to return favours. Social proof β we look to others to determine correct behaviour. Every major social engineering attack exploits one or more of these.
Common Social Engineering Techniques
Phishing: Mass emails impersonating trusted organisations, designed to steal credentials or deliver malware.
Spear phishing: Targeted phishing that uses specific personal details (your name, employer, recent transactions) to create a convincing personalised attack.
Vishing (voice phishing): Phone calls impersonating banks, government agencies or IT support. Very effective because voice communication triggers more trust than email.
Pretexting: Creating a fabricated scenario to extract information. "I'm from IT and I need to verify your account β can I confirm your password?"
Baiting: A USB drive labeled "Company Salary Information" left in a car park. Curiosity compels someone to plug it in.
The Defence Is Awareness
Technical defences stop technical attacks. The defence against social engineering is knowing it exists and applying a consistent scepticism: verify before you act. If someone calling claims to be from your bank, hang up and call the bank's official number. If someone emailing claims to be your CEO requesting an urgent wire transfer, call them directly to confirm.
The single most protective mental habit: slow down when feeling rushed. Urgency is the attacker's friend. Deliberate consideration is yours.