Skip to Content
Threats and Attacks

What is social engineering?

Social engineering is the psychological manipulation of a person into handing over information, access or money, instead of the criminal exploiting a technical flaw. The attacker poses as someone trusted, a boss, a supplier, the bank, and uses triggers like urgency, fear and authority. It is the basis of most cyberattacks, from phishing to business email compromise (BEC).

Zamak TechnologiesUpdated on July 10, 2026

How a social engineering attack works

Social engineering does not break into systems: it convinces a person. The attack usually follows four stages, and the most elaborate frauds take weeks of preparation.

1

Reconnaissance

The criminal studies the target on social media, the company website and leaked emails: who has access, how people communicate and who they trust.

2

Rapport and pretext

They take on a trusted identity and build a plausible story, a scenario that justifies the contact and lowers the victim's guard.

3

Exploitation

At the right moment, they pull the psychological trigger, urgency, fear, authority or curiosity, and make the request: a password, a click, a transfer.

4

Exit

With the access or the money in hand, the attacker disappears and covers their tracks. Often the victim only notices days later, once the damage is done.

Source: Verizon (DBIR) and N-able Cyber Encyclopedia.

How to recognize social engineering

  • Artificial urgency: a request that “cannot wait” and pressures you to act without thinking
  • Authority: an order that seems to come from the boss or a figure of power, to discourage questions
  • Fear or threat: “your account will be blocked”, “there will be consequences if you don't act”
  • Too good to be true: a prize, a refund or an offer you were not expecting
  • A request outside the normal process: skipping an approval, changing bank details, making an exception
  • Secrecy: a request not to tell colleagues or follow the usual path
  • A switch of the usual channel: someone who always called now only writes, or a known contact changes email

Types of social engineering

  • Phishing and its variants The most common form: messages that imitate a trusted source by email, SMS (smishing), voice (vishing) or QR code (quishing).
  • Pretexting A fabricated scenario and a relationship built over time. It is the technique behind business email compromise (BEC).
  • Baiting Something enticing, a “lost” USB stick, a free download or a giveaway, that installs malicious software once the victim takes the bait.
  • Quid pro quo The scammer offers help, a fake tech support call, in exchange for access or a password.
  • Tailgating The in-person version: an unauthorized person follows an employee through a secure door, counting on the courtesy of whoever holds it open.

Why social engineering is so dangerous

60%
of data breaches involve a human action (Verizon DBIR 2025)
22%
of breaches start with social engineering (Verizon DBIR 2025)
57%
of social engineering attacks use phishing, the most common form (Verizon DBIR 2025)

Social engineering is dangerous because it attacks what no tool protects on its own: people's trust. According to Verizon (DBIR 2025), 60% of data breaches involve a human action, and 22% start with social engineering. Among those attacks, 57% use phishing and 30% use pretexting, the patient building of trust that sustains BEC. Because there is no virus or attachment for a filter to block, the scam slips past firewalls and antivirus and lands straight in the inbox or on the phone. Once a person is convinced, the attacker walks in using valid credentials, without tripping an alarm, and the whole company is exposed. The damage rarely stops at the amount sent: it adds the access gained, the data exposed and the trust broken with customers and suppliers.

How to protect against social engineering

Because the target is the person, not the machine, defense combines awareness with technology, in the order that reduces risk the most:

  1. Continuous training and simulationThe team learns to recognize the triggers and stops being the weakest link, becoming the first line of defense.
  2. Verify through an independent channelFaced with a request for money, data or access, confirm through an already known number, never by replying to the message itself.
  3. A second identity checkBeyond the password, on email and system access: if a credential is handed over, the second factor still blocks entry.
  4. Processes that do not depend on one personDual approval for payments and changes to bank details, so no one decides alone under pressure.
  5. Managed email security and endpoint defenseThe technical safety net that filters most messages and contains the scam when someone slips.
  6. A culture where questioning is welcomeMake it clear that confirming an urgent request will never be punished, even when it seems to come “from the boss”.

In practice

Social engineering's favorite trigger is haste. Faced with an urgent, unusual request, stopping thirty seconds to confirm through another channel disarms most scams.

How Zamak handles social engineering

Zamak Technologies handles social engineering on both ends: preparing people, with continuous training and simulation, and sustaining the technology behind them, with managed email security, a second identity check and advanced endpoint defense. A good starting point is the phishing simulation, which shows how your team would react to the most common scam, and the Cybersecurity front narrows the gaps that manipulation exploits.

Frequently asked questions about social engineering

What is the difference between social engineering and phishing?
Phishing is the most common form of social engineering, almost always by email. Social engineering is the larger concept, which also includes scams by phone, by message, by QR code and even in person. All phishing is social engineering, but not all social engineering is phishing.
Does antivirus protect against social engineering?
It helps, but it is not enough. The scam deceives the person, not the system: there is no virus or attachment for antivirus to block. Real protection combines training, a second identity check and approval processes.
Why do criminals prefer social engineering?
Because it is usually easier to convince a person than to break a technical defense. With a credential handed over in good faith, the attacker gets in without tripping an alarm. According to Verizon (DBIR 2025), 60% of data breaches involve a human action.
Is my company too small to be a target?
No. Social engineering targets any organization with people and payments, and smaller ones usually have fewer verification processes, which makes them easy targets.
What is pretexting?
It is the building of a false scenario and a relationship of trust over time, before the request. It is the technique behind business email compromise (BEC), in which the criminal poses as an executive or supplier.
Is training the team enough?
It greatly reduces the risk, but no one gets it right every time. Training is one layer; it works together with technology and with processes that do not depend on a single person deciding under pressure.

Related terms

Network and Access
Securing the Use of AI
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake
Vulnerabilities and Security Testing
Vulnerability ManagementPenetration Testing (pentest)Vulnerability ScanningBrute-Force AttackSQL InjectionCross-Site Scripting (XSS)SAST and DAST