100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

Social Engineering

BeginnerConcept6.1K learners

Social engineering is the use of psychological manipulation to trick people into divulging confidential information, granting access, or performing actions that compromise security.

Definition

Social engineering is the use of psychological manipulation to trick people into divulging confidential information, granting access, or performing actions that compromise security.

Overview

Unlike attacks that exploit technical vulnerabilities, social engineering exploits human trust, urgency, authority, and fear. Attackers research a target, craft a believable pretext, and manipulate a person — often an employee — into an action such as clicking a malicious link, revealing a password, or approving a fraudulent payment. Because it targets people rather than systems, social engineering can bypass even strong technical defenses. Common techniques include phishing (fraudulent emails or messages impersonating a trusted source), pretexting (fabricating a scenario to extract information, such as posing as IT support), baiting (leaving infected USB drives or offering fake downloads), and tailgating (physically following an authorized person into a secure area). Business email compromise, where an attacker impersonates an executive to authorize a wire transfer, is one of the costliest forms of social engineering seen by organizations. Because people are the weakest link in most security programs, awareness training, Multi-Factor Authentication (MFA) to blunt stolen credentials, verification procedures for sensitive requests, and a culture that encourages reporting suspicious contact are the primary defenses — themes explored in Governance, Compliance & Career Readiness.

Key Concepts

  • Manipulates human psychology rather than exploiting technical flaws
  • Common forms: phishing, pretexting, baiting, and tailgating
  • Often the first step in a larger multi-stage attack
  • Business email compromise (BEC) is a especially costly variant
  • Effective even against organizations with strong technical controls
  • Mitigated primarily through awareness training and verification procedures

Use Cases

Phishing campaigns designed to harvest employee credentials
Pretexting calls impersonating IT support to reset a password
Tailgating into restricted office areas by following an employee
Business email compromise targeting finance teams for fraudulent wire transfers
Physical baiting with infected USB drives left in office parking lots
Red team engagements that test employee response to simulated social engineering

Frequently Asked Questions