Social Engineering: Hacking Humans
Phishing, pretexting, vishing, and why the human layer is the hardest to patch. The psychology behind social engineering and how to defend against it.
On this page
Ground Up: Attacker's Playbook
Part 6 of 6
You can patch every server, enable MFA everywhere, deploy the best EDR money can buy, and still get breached. Because the one component you can’t patch is the human sitting at the keyboard.
Social engineering bypasses technical controls entirely. Instead of exploiting a software vulnerability, it exploits human psychology - trust, urgency, authority, fear, curiosity.
Over 80% of breaches involve a human element. This isn’t because people are stupid. It’s because social engineering is specifically designed to exploit how our brains work.
Why Social Engineering Works
Humans have cognitive shortcuts - mental patterns that help us make fast decisions. Social engineers exploit these:
| Principle | How It’s Exploited |
|---|---|
| Authority | ”This is the IT department, we need your password for a security update” |
| Urgency | ”Your account will be suspended in 24 hours unless you verify now” |
| Scarcity | ”Only 3 spots left in this security training - register immediately” |
| Social proof | ”Everyone in your department has already completed this form” |
| Reciprocity | ”I helped you last week, can you just approve this access request?” |
| Trust | Impersonating a known colleague, vendor, or brand |
| Fear | ”Unusual login detected from Russia - verify your identity now” |
These aren’t weaknesses unique to careless people. They’re built into how human decision-making works. Under time pressure, with the right pretext, almost anyone is vulnerable.
The Techniques
Phishing
Mass emails designed to trick recipients into clicking a link or opening an attachment.
Characteristics:
- Sent to many recipients (hundreds to millions)
- Generic pretext (“Your package is delayed,” “Invoice attached”)
- Often poorly written (grammar mistakes, generic greetings)
- Links to credential harvesting pages or malware downloads
Example:
From: security@your-bank.com (actually: security@y0ur-bank.com)
Subject: Urgent: Unusual Account Activity
Dear Customer,
We've detected unusual activity on your account. Please verify
your identity immediately to avoid account suspension.
[Verify Now] → links to attacker's fake login pageWhat to notice:
- Sender domain is slightly off (
y0urvsyour) - Creates urgency (“immediately,” “suspension”)
- Generic greeting (“Dear Customer” instead of your name)
- Link goes to an unexpected URL
Spear Phishing
Phishing targeted at a specific person or small group. Uses personal information gathered during reconnaissance.
Much more dangerous than generic phishing because:
- Uses the target’s real name, job title, and context
- References real projects, colleagues, or events
- Comes from a spoofed or compromised trusted contact
- Is grammatically correct and professionally written
Example:
From: sarah.miller@vendor-company.com (compromised account)
Subject: Re: Q4 Budget Reconciliation
Hi David,
Following up on Tuesday's call - I've attached the updated
invoice with the corrected figures. Can you approve and process
by end of week?
Thanks,
Sarah
[Q4_Invoice_Updated.xlsx] → contains malicious macroDavid knows Sarah. They had a call Tuesday. The email is well-written and contextually appropriate. The malicious Excel file contains a macro that executes a reverse shell when David clicks “Enable Content.”
This is how the majority of targeted attacks begin.
Business Email Compromise (BEC)
A specific type of spear phishing focused on financial fraud. The attacker impersonates a CEO, CFO, or vendor to authorize fraudulent wire transfers.
Common scenarios:
- CEO fraud: “I need you to wire $50,000 to this account for a confidential acquisition. Don’t discuss with anyone.”
- Vendor fraud: “Our bank details have changed. Please update our payment info to this new account.”
- Attorney impersonation: “I’m handling a confidential legal matter for [CEO]. Wire $100,000 to this escrow account immediately.”
BEC caused over $2.7 billion in losses in 2023 according to the FBI. No malware involved - just a convincing email and a wire transfer.
Vishing (Voice Phishing)
Social engineering over the phone. The attacker calls pretending to be IT support, a bank, a vendor, or law enforcement.
Example scenario:
Attacker: "Hi, this is Mike from IT support. We've detected suspicious
activity on your account and need to verify your credentials
to secure it. Can you confirm your username and password?"
Target: "Sure, it's jsmith and..."Vishing is effective because:
- Real-time conversation builds trust
- Harder to analyze than an email (no link to inspect)
- Voice creates personal connection and urgency
- People are conditioned to cooperate with “IT support” or “the bank”
Smishing (SMS Phishing)
Phishing via text message:
Your package delivery failed. Reschedule here: https://bit.ly/3xYzAbc
ALERT: Unusual login to your account. If this wasn't you, verify: https://...SMS feels more personal and urgent than email. People are more likely to click links in texts.
Pretexting
Creating a fabricated scenario (pretext) to extract information or gain access. This is the foundation of all social engineering - the story the attacker tells.
Examples:
| Pretext | Goal |
|---|---|
| ”I’m the new employee, I forgot my badge” | Physical access to the building |
| ”I’m from the auditing firm doing annual review” | Access to sensitive documents |
| ”I’m a journalist writing about your company” | Extract internal information |
| ”I’m IT support running emergency maintenance” | Get credentials or system access |
Good pretexts share characteristics:
- Believable role that explains the request
- Urgency that discourages verification
- Authority that makes questioning feel inappropriate
- Enough detail to seem legitimate
Baiting
Leaving something tempting for the target to find:
- USB drops: Leave infected USB drives in parking lots, lobbies, or break rooms labeled “Confidential” or “Salary Data 2026”
- Fake downloads: Offer “free” software, tools, or media that contains malware
- Trojanized apps: Legitimate-looking apps in unofficial stores
Curiosity is a powerful motivator. Studies show 45-98% of dropped USB drives get plugged in (depending on the study and location).
Watering Hole Attacks
Instead of going to the target, the attacker compromises a website the target frequently visits:
- Identify websites the target organization’s employees visit (industry forums, news sites, professional associations)
- Compromise one of those sites
- Insert malicious code that targets visitors
- When employees visit the site, their browsers execute the malicious code
Harder to detect because the attack comes from a legitimate, trusted website.
Real-World Impact
Uber (2022)
An 18-year-old attacker purchased stolen credentials of an Uber employee from the dark web. When MFA blocked the login, the attacker:
- Spammed the employee with MFA push notifications repeatedly
- Contacted the employee on WhatsApp, pretending to be Uber IT
- Said the notifications would stop if they approved the request
- Employee approved the MFA prompt
- Attacker accessed Uber’s internal network
Result: Access to internal systems, Slack, bug bounty dashboard, and cloud infrastructure. Total cost to Uber: immeasurable in reputation and remediation.
Twitter (2020)
Attackers called Twitter employees pretending to be from internal IT. They convinced employees to enter credentials on a fake internal VPN page. With those credentials, the attackers:
- Accessed internal admin tools
- Took over high-profile accounts (Obama, Elon Musk, Apple)
- Posted cryptocurrency scam tweets
- Made approximately $120,000 in Bitcoin
The technical security of Twitter’s systems was irrelevant. The attack went through people.
Defense
Technical Controls
| Control | What It Does |
|---|---|
| Email filtering | Blocks known phishing patterns, suspicious attachments, spoofed senders |
| DMARC/SPF/DKIM | Prevents email domain spoofing |
| URL filtering | Blocks known malicious URLs |
| MFA (phishing-resistant) | Hardware keys (FIDO2) prevent real-time phishing proxy attacks |
| Browser isolation | Opens risky links in a sandboxed environment |
| USB port control | Disable USB mass storage on workstations |
Important: Standard MFA (push notifications, SMS codes) can be bypassed by real-time phishing proxies, as covered in the authentication attacks post. Only FIDO2 hardware keys (YubiKey, etc.) are truly phishing-resistant.
Process Controls
- Wire transfer verification: Require phone call confirmation for any payment change, using a known number (not one from the email)
- Out-of-band verification: Got a suspicious request via email? Verify via phone or in person
- Approval workflows: No single person should authorize large financial transactions
- Clean desk policy: Don’t leave sensitive information visible
Human Controls
- Security awareness training - Not annual compliance checkbox training. Regular, realistic, engaging training
- Phishing simulations - Send fake phishing emails to employees. Track who clicks. Train those who do. Measure improvement
- Reporting culture - Make it easy and non-punitive to report suspicious emails. “I clicked a link, what do I do?” should get help, not blame
- Healthy skepticism - Encourage questioning unexpected requests, even from apparent authority figures
When You Suspect Social Engineering
1. STOP - Don't click, don't respond, don't provide information
2. VERIFY - Contact the supposed sender through a known channel (not the one they used)
3. REPORT - Forward to your security team or IT
4. DOCUMENT - Note what happened for the security team to investigateThe most important thing: it’s okay to say no, slow down, and verify. No legitimate IT department, bank, or employer will punish you for taking 5 minutes to confirm a request is real.
What’s Next
Module 5 is complete. You’ve seen the full attacker playbook:
- The kill chain - the overall process
- Reconnaissance - gathering intelligence
- Reverse shells - getting interactive access
- Privilege escalation - getting root/admin
- Social engineering - exploiting humans
Now it’s time to flip to defense. Module 6: The Defender’s Playbook covers logging, monitoring, incident response, and hardening - how you detect and respond to everything we’ve covered.
References
- MITRE ATT&CK - Phishing (T1566)
- FBI IC3 - Business Email Compromise
- KnowBe4 - Social Engineering Resources
- Social Engineering: The Science of Human Hacking (Christopher Hadnagy)
The most sophisticated firewall in the world can’t stop an employee from typing their password into a fake login page. Security is a human problem as much as a technical one. Treat it that way.
Related Articles
Authentication Attacks: Passwords, Sessions, and Tokens
How login systems break - brute force, credential stuffing, session hijacking, token flaws, and MFA bypass. The complete beginner's guide to auth attacks.
Cybersecurity Career Paths: Finding Your Direction
Offensive, defensive, GRC, cloud security, AppSec - the major cybersecurity career paths explained. What each role does, what skills you need, and how to choose.
Certifications, Learning Resources, and Next Steps
A practical guide to cybersecurity certifications, free and paid learning resources, communities, and building a plan for your first year in security.