What is social engineering?
Social engineering is the psychological manipulation of a person into handing over information, access or money, instead of the criminal exploiting a technical flaw. The attacker poses as someone trusted, a boss, a supplier, the bank, and uses triggers like urgency, fear and authority. It is the basis of most cyberattacks, from phishing to business email compromise (BEC).
How a social engineering attack works
Social engineering does not break into systems: it convinces a person. The attack usually follows four stages, and the most elaborate frauds take weeks of preparation.
Reconnaissance
The criminal studies the target on social media, the company website and leaked emails: who has access, how people communicate and who they trust.
Rapport and pretext
They take on a trusted identity and build a plausible story, a scenario that justifies the contact and lowers the victim's guard.
Exploitation
At the right moment, they pull the psychological trigger, urgency, fear, authority or curiosity, and make the request: a password, a click, a transfer.
Exit
With the access or the money in hand, the attacker disappears and covers their tracks. Often the victim only notices days later, once the damage is done.
Source: Verizon (DBIR) and N-able Cyber Encyclopedia.
How to recognize social engineering
- Artificial urgency: a request that “cannot wait” and pressures you to act without thinking
- Authority: an order that seems to come from the boss or a figure of power, to discourage questions
- Fear or threat: “your account will be blocked”, “there will be consequences if you don't act”
- Too good to be true: a prize, a refund or an offer you were not expecting
- A request outside the normal process: skipping an approval, changing bank details, making an exception
- Secrecy: a request not to tell colleagues or follow the usual path
- A switch of the usual channel: someone who always called now only writes, or a known contact changes email
Types of social engineering
- Phishing and its variants The most common form: messages that imitate a trusted source by email, SMS (smishing), voice (vishing) or QR code (quishing).
- Pretexting A fabricated scenario and a relationship built over time. It is the technique behind business email compromise (BEC).
- Baiting Something enticing, a “lost” USB stick, a free download or a giveaway, that installs malicious software once the victim takes the bait.
- Quid pro quo The scammer offers help, a fake tech support call, in exchange for access or a password.
- Tailgating The in-person version: an unauthorized person follows an employee through a secure door, counting on the courtesy of whoever holds it open.
Why social engineering is so dangerous
Social engineering is dangerous because it attacks what no tool protects on its own: people's trust. According to Verizon (DBIR 2025), 60% of data breaches involve a human action, and 22% start with social engineering. Among those attacks, 57% use phishing and 30% use pretexting, the patient building of trust that sustains BEC. Because there is no virus or attachment for a filter to block, the scam slips past firewalls and antivirus and lands straight in the inbox or on the phone. Once a person is convinced, the attacker walks in using valid credentials, without tripping an alarm, and the whole company is exposed. The damage rarely stops at the amount sent: it adds the access gained, the data exposed and the trust broken with customers and suppliers.
How to protect against social engineering
Because the target is the person, not the machine, defense combines awareness with technology, in the order that reduces risk the most:
- Continuous training and simulationThe team learns to recognize the triggers and stops being the weakest link, becoming the first line of defense.
- Verify through an independent channelFaced with a request for money, data or access, confirm through an already known number, never by replying to the message itself.
- A second identity checkBeyond the password, on email and system access: if a credential is handed over, the second factor still blocks entry.
- Processes that do not depend on one personDual approval for payments and changes to bank details, so no one decides alone under pressure.
- Managed email security and endpoint defenseThe technical safety net that filters most messages and contains the scam when someone slips.
- A culture where questioning is welcomeMake it clear that confirming an urgent request will never be punished, even when it seems to come “from the boss”.
In practice
Social engineering's favorite trigger is haste. Faced with an urgent, unusual request, stopping thirty seconds to confirm through another channel disarms most scams.
How Zamak handles social engineering
Zamak Technologies handles social engineering on both ends: preparing people, with continuous training and simulation, and sustaining the technology behind them, with managed email security, a second identity check and advanced endpoint defense. A good starting point is the phishing simulation, which shows how your team would react to the most common scam, and the Cybersecurity front narrows the gaps that manipulation exploits.