What is social engineering?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Imagine you get an email from what looks like your CEO, asking you to wire funds urgently before end of day. The email address looks close enough. The tone sounds right. You're busy. You wire the money. That's social engineering, and it didn't need a single line of malicious code.

Social engineering is manipulation. Instead of hacking a system, someone hacks the human using it. They exploit the same things that make us decent colleagues: trust, helpfulness, respect for authority, and the very human tendency to act fast when something feels urgent.

Email is the favorite playground for social engineering attacks. A few of the most common forms:

  • Phishing means impersonating a trusted entity (your bank, your boss, a vendor) to get you to click something or hand over credentials.
  • Pretexting means building a believable fake story. "I'm from IT, we need your login to reset your account" is pretexting.
  • Baiting offers something tempting, a free download, a prize, inside info, to get you to take an action.
  • Quid pro quo is the "I'll help you with X if you give me Y" move, often dressed up as a support call or vendor offer.

What makes social engineering so effective is that technical controls can't fully stop it. Spam filters, authentication records, and firewalls all help. But a well-crafted email that passes technical checks and lands in front of the right tired, distracted person on a Friday afternoon? That can still work. (And social engineers know to send those on Fridays.)

Defense here is mostly about people, not tools. Training staff to pause before acting, verify requests through a separate channel, and feel safe saying "let me confirm this" is genuinely more protective than most technical fixes. A culture where questioning unusual requests is normal is your best line of defense.

If you want to go deeper, the next step is understanding the psychological tricks that make phishing work so well. Knowing the playbook makes it a lot harder to fall for it.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get tailored social engineering scenarios for your team

I work in [role, e.g. IT manager / small business owner / marketing team] and I'm trying to help my team recognize social engineering in email. Based on my context, give me: 1) The top 3 social engineering scenarios most likely to hit my team, 2) One simple verification habit that would catch most attacks, 3) A short way to explain the difference between a suspicious email and a legitimate one to non-technical staff.

Edit the yellow boxes, then send to the AI of your choice.