What is the most common form of social engineering?

Phishing is the most prevalent form, typically delivered via email. However, vishing (voice calls) and pretexting are also widely used, particularly in targeted attacks against organisations.

Can social engineering be prevented by technology alone?

No. Technology can reduce the attack surface, but social engineering targets human behaviour. Effective prevention requires a combination of technical controls, security awareness training, and a culture of verification.

How do I report a suspected social engineering attempt?

Report it to your IT security team or line manager immediately. Document what happened — the time, method, and what was requested. Do not feel embarrassed; reporting is the right action.

Social Engineering

What Is Social Engineering?

Social engineering is the art of manipulating people rather than systems. Learn how attackers exploit trust, urgency, and authority to bypass even the strongest technical defences.

Published 10 April 2026

What Is Social Engineering?

Social engineering is a category of attack that targets human psychology rather than technical vulnerabilities. Instead of exploiting software flaws, attackers exploit trust, fear, urgency, and authority to manipulate individuals into handing over credentials, granting access, or transferring money.

Why It Works

Humans are wired to be helpful, to respond to authority, and to act quickly under pressure. Attackers study these tendencies and craft scenarios that trigger them. A well-executed social engineering attack can bypass firewalls, antivirus software, and multi-factor authentication in minutes.

Common Techniques

Pretexting involves creating a fabricated scenario to extract information. An attacker might pose as an IT technician needing your password to fix an urgent issue.

Phishing uses deceptive emails or messages that appear to come from trusted sources, directing victims to fake login pages or malicious downloads.

Vishing (voice phishing) uses phone calls, often with spoofed caller IDs, to impersonate banks, government agencies, or internal IT departments.

Baiting leaves infected USB drives in car parks or reception areas, counting on curiosity to do the rest.

The Digital–Physical Connection

Social engineering does not stay in the digital world. A convincing phone call can unlock a building. A fake delivery uniform can bypass a reception desk. Understanding how these attacks cross the physical–digital boundary is essential for any organisation.

How to Protect Yourself

Verify identities through official channels before acting on any request. Slow down when you feel pressured to act urgently. Report suspicious interactions to your security team immediately.

Practical Checklist

Verify the identity of anyone requesting sensitive information through an official channel
Slow down when you feel pressured to act urgently
Report suspicious interactions to your security team immediately
Attend security awareness training at least annually

Frequently Asked Questions

Filed under

Social Engineering →

How attackers manipulate people into revealing information or granting access — the human side of cybersecurity.