Social engineering is the art of manipulating people into giving up information or access. Instead of hacking a computer, attackers hack you — exploiting trust, authority, fear, or helpfulness to get what they want. It's the most common attack vector in security breaches, and no software can fully protect against it.

If you're familiar with phishing emails and messages, you already know one form. This guide covers the rest.

Phone scams (vishing)

Vishing — voice phishing — is when attackers call you and impersonate someone you'd normally trust.

Common scenarios:

• "Tech support" calls: "This is Microsoft/Apple. We've detected a virus on your computer." They'll ask you to install remote access software or read them error codes. Microsoft and Apple will never call you unprompted.
• IRS/tax authority calls: "You owe back taxes and a warrant has been issued for your arrest." The IRS communicates by mail first, never by threatening phone calls.
• Bank fraud department: "We've detected suspicious activity. Please verify your account number and PIN." Your real bank already has your account number — they won't ask for it.
• "Your family member is in trouble": "Your grandson was arrested and needs bail money wired immediately." Scammers mine social media for family details.

The tell: Legitimate organizations don't cold-call you demanding immediate action, personal information, or payment via gift cards and wire transfers.

Pretexting

Pretexting is when an attacker invents a scenario (a "pretext") to gain your trust and extract information. Unlike generic phishing, pretexting is targeted and researched.

Examples:

• Someone calls claiming to be from IT: "We're migrating the email server this weekend. I need your login credentials to ensure your account transfers correctly."
• An email from your "boss" (spoofed address or compromised account): "I need you to purchase gift cards for a client meeting and send me the codes. I'm in a meeting and can't talk."
• A "vendor" calls accounting: "Our bank details have changed. Please update the payment information for our next invoice." They've researched the real vendor relationship.
• Someone posing as a new employee: "Hi, I'm starting in marketing next week and my badge doesn't work yet. Can you hold the door?"

Pretexting works because the story sounds plausible and the attacker has done enough homework to seem legitimate.

Baiting

Baiting uses the promise of something enticing to lure you into a trap.

Physical baiting:

• USB drives left in parking lots, lobbies, or conference rooms, labeled something tempting like "Salary Data Q4" or "Confidential." Plugging one in can install malware automatically.
• CDs, SD cards, or external drives "found" in conspicuous places.

Digital baiting:

• Free software downloads that bundle malware
• "Free movie/music" downloads that require you to install a special player (which is the malware)
• Ads for deals that are too good to be true, leading to credential-harvesting sites

The rule: If you find a USB drive you don't recognize, don't plug it in. Give it to IT. If a download seems too convenient, it's probably the bait.

Tailgating and piggybacking

Tailgating is physically following an authorized person through a secure door or access point without using your own credentials. The attacker relies on politeness — most people will hold the door for someone walking behind them.

How it looks:

• Someone carrying boxes approaches a badge-access door right behind you: "Hey, could you hold that? My hands are full."
• A person in a delivery uniform follows an employee through a secure entrance.
• Someone pretending to be on a phone call walks through a held door without making eye contact.

What to do: It's not rude to ask someone to badge in themselves. If you're in a secure environment, let the door close and ask them to use their own access. If they can't, direct them to reception.

Quid pro quo

Quid pro quo attacks offer something in exchange for information or access.

Common examples:

• "Free tech support" — an attacker calls offering to fix a problem (that may not exist) in exchange for remote access to your computer
• "Security surveys" — someone posing as a researcher asks about your company's security practices, software, or IT setup
• "Prize winnings" — you've won something and just need to provide personal details or a small "processing fee"

If someone you didn't contact offers you unsolicited help or a prize, treat it with suspicion.

How to respond to any social engineering attempt

These rules apply regardless of the specific technique:

1. Verify independently. If someone claims to be from your bank, IT department, or any organization, hang up and call the official number yourself. Don't use the number they give you.
2. Never give information to inbound callers. You didn't initiate the contact, so you can't verify who they are. "Let me call you back on the official number" is always the right response.
3. Slow down. Urgency is a manipulation tool. Any legitimate request can wait for you to verify it. "I need to check with my manager" or "Let me confirm through official channels" are complete sentences.
4. Watch for emotional pressure. Fear ("your account will be closed"), authority ("this is your CEO"), helpfulness ("I'm just trying to fix this for you"), and urgency ("this needs to happen right now") are all levers attackers pull.
5. Confirm unusual requests through a second channel. If your boss emails asking you to buy gift cards, walk over to their office or call them. If a vendor emails new bank details, call the vendor at their known number.

Reporting

If you encounter a social engineering attempt:

• At work: Report it to your IT or security team immediately. Even failed attempts are valuable intelligence — they show attackers are targeting your organization.
• Phone scams: In the US, report to the FTC at reportfraud.ftc.gov. Block the number on your phone.
• Phishing emails: Report through your email client's phishing button. See our phishing guide for details.
• Suspicious physical access: Report it to building security or your office manager.

Don't feel embarrassed if you fell for one. These attacks work because they exploit basic human psychology — trust, helpfulness, and respect for authority. The important thing is to report it so others can be warned.

Short

The golden rules of social engineering defense:

1. Verify independently — never trust inbound contact, call back on a known official number
2. Never give sensitive info to someone who contacted you — legitimate organizations don't cold-call for passwords, PINs, or account numbers
3. Slow down — urgency is a red flag, any real request can survive a verification step