Social Engineering Attacks: Complete Guide
Social engineering bypasses technical security by exploiting human psychology. It's the most common attack vector and the hardest to defend against with technology alone.
6 Types of Social Engineering
Phishing
Fake emails/messages impersonating trusted entities to steal credentials or install malware.
Example
Email from 'IT department' asking you to verify your password via a link.
Defense
Verify through separate channel. Never click links in unexpected emails.
Pretexting
Creating a fabricated scenario to extract information. The attacker builds trust through a believable story.
Example
Caller claiming to be from your bank's fraud department, asking to 'verify' your account details.
Defense
Hang up and call back on the number printed on your card/statement.
Baiting
Offering something enticing (free USB, movie download) that contains malware.
Example
USB drive labeled 'Confidential - Q4 Salaries' left in a parking lot or co-working space.
Defense
Never plug in found USB drives. Never download from untrusted sources.
Quid Pro Quo
Offering a service in exchange for information. Often impersonates IT support.
Example
'IT support' calls offering to fix a computer problem you didn't report, asks for login credentials.
Defense
Verify IT requests through official channels. Your IT department has your info already.
Tailgating/Piggybacking
Physically following an authorized person into a restricted area.
Example
Someone carrying boxes asks you to hold the office door open for them.
Defense
Don't hold doors for strangers in secure areas. It's not rude — it's security.
Vishing (Voice Phishing)
Phone-based social engineering using urgency, authority, or emotion.
Example
Call from 'Microsoft support' claiming your computer is sending error reports and they need remote access.
Defense
Microsoft never calls you. Your bank never calls asking for full credentials. When in doubt, hang up.
The Golden Rule
When someone asks for something sensitive, verify through a separate channel.
Email request? Verify by phone. Phone request? Verify by Slack. Slack request? Verify in person or by phone. Never verify through the same channel the request came from — it could be compromised.