Social Engineering: The Human Side of Hacking
Hackers don't always use code — sometimes a phone call is all it takes. Learn the manipulation tactics scammers use and how to shut them down cold.
Social Engineering by the Numbers
A dental office receptionist gets a call from "Microsoft Support" saying their server has been flagged for suspicious activity. The caller sounds professional, uses the right technical terms, and even knows the office's software vendor. He walks the receptionist through granting remote access "to run a diagnostic." Within eight minutes, the attacker has access to 3,200 patient records and installs ransomware that locks every workstation in the office.
Microsoft will never call you. Neither will the IRS, your bank, or your software vendor — unless you called them first.
6 Social Engineering Tactics Hackers Use
These aren't theoretical — they're used in real attacks every day.
Pretexting
Creating a fabricated scenario to steal information. "Hi, I'm from IT — I need to verify your login credentials to fix the server issue."
Baiting
Leaving infected USB drives in parking lots, offering free downloads, or dangling "exclusive" content. Curiosity kills security.
Quid Pro Quo
"I'll give you free tech support if you install this remote access tool." The attacker offers something of value in exchange for access.
Tailgating
Physically following an authorized person through a secured door. "Can you hold the door? My badge isn't working."
Watering Hole
Compromising a website frequently visited by the target group. If you can't phish a security team directly, infect the blog they all read.
Authority Impersonation
"This is the CEO — I need you to wire $50K immediately." Impersonating executives or law enforcement to bypass normal procedures.
Real-World Social Engineering Attacks
Twitter (2020)
A teenager called Twitter employees pretending to be IT. Gained access to internal tools and hijacked accounts of Obama, Elon Musk, and Apple — netting $120K in Bitcoin.
MGM Resorts (2023)
Hackers called the IT help desk, impersonated an employee using LinkedIn info, and got a password reset. Total damage: $100M in losses and 10 days of outages.
Ubiquiti Networks (2015)
Attackers impersonated executives via email and convinced finance staff to wire $46.7 million to overseas accounts.
RSA Security (2011)
An Excel file titled "2011 Recruitment Plan" was emailed to RSA employees. One person opened it, installing a backdoor that compromised SecurID tokens — affecting 40 million users.
How to Defend Against Social Engineering
Build a Verification Culture
Normalize verifying requests through a second channel. "I got your email about the wire transfer — let me call you back on your known number to confirm."
Security Awareness Training
Regular simulated phishing tests and social engineering exercises. People who've seen the tactics are far harder to manipulate.
Zero-Trust Access Controls
No single person should be able to approve large transactions or access sensitive systems alone. Require dual authorization.
Technical Safeguards
Email filtering, endpoint detection, USB device controls, and physical access badges catch the obvious attempts.
Incident Response Plan
When someone falls for a social engineering attack, speed matters. Have a clear plan: who to contact, how to contain, how to preserve evidence.
Limit Public Information
The less personal info available online, the harder it is for attackers to craft convincing pretexts. Audit your LinkedIn and social media.
How Vulnerable Are You to Social Engineering?
Social engineering exploits human nature — but training and awareness dramatically reduce risk. Let us assess your exposure and build your defense.
Your Checklist
Print this page or screenshot it. Do one step today — you'll be ahead of 90% of people.
- If someone asks for sensitive info, hang up and call back on a number you trust
- Never share passwords, MFA codes, or PINs — real companies will never ask for these
- Be suspicious of urgency — scammers create pressure so you don't have time to think
- Don't let anyone remote into your computer unless you contacted them first
- Verify unexpected requests through a separate channel (call, text, in person)
- Talk to your family — kids and elderly relatives are the most common targets
- If something feels off, trust your gut and stop the conversation
- Report scam attempts to the FTC at ReportFraud.ftc.gov
Social Engineering FAQ
No. Technology can filter obvious phishing and block malware, but social engineering targets human psychology, not software. The most effective defense combines technical controls with security awareness training and verification procedures.
Social engineering exploits universal human traits — trust, helpfulness, fear of authority, and urgency. Intelligence doesn't protect against these. Experts are sometimes more vulnerable because they're confident they can't be fooled.
Don't engage further. Report to your IT team or security provider immediately. If money was lost, contact your bank and file a report with the FBI's IC3 (ic3.gov) or local law enforcement.
Phishing is one type of social engineering. Social engineering is the broader category that includes pretexting, baiting, tailgating, and impersonation — any technique that manipulates people into giving up access or information.
Still Have Questions? We're Happy to Chat.
Book a free 15-minute call with our team. No sales pitch, no jargon — just straight answers about staying safe online.