What is social engineering?

What is social engineering?

Social engineering is the art of manipulating people into performing actions or divulging information that benefits an attacker — without ever touching a technical vulnerability. It exploits human psychology rather than software flaws, making it the most effective and the cheapest attack method available. The strongest, most patched, most monitored network in the world can be bypassed with a single phone call to the right employee.

The Verizon Data Breach Investigations Report 2024 found that 82% of breaches involve a human element — an employee clicking a phishing link, an IT help desk resetting credentials without verifying identity, a contractor plugging in a found USB drive. No CVE required. No exploit required. Just a convincing story and a compliant target.

For ethical hackers and penetration testers, social engineering is a critical skill. Authorised phishing simulations and vishing campaigns form a key component of a complete security assessment, testing not just technical controls but the human layer that technical controls cannot protect.

Why social engineering works

Social engineering succeeds because it exploits psychological principles that are features of functional workplaces — not bugs of human stupidity. Understanding these principles is the first step toward building defences against them:

• Authority: People are conditioned to comply with authority figures. An attacker impersonating IT, senior management, a regulator, or law enforcement triggers compliance instincts that override critical thinking. "This is the IT security team — we detected malware on your account and need your password to run diagnostics" works because the authority framing suppresses scepticism.
• Urgency: "Your account will be locked in 10 minutes if you don't verify now." Artificial time pressure overrides careful thought. When people feel they must act immediately, they skip verification steps they would otherwise follow. Urgency is the most common tactic in phishing emails for this reason.
• Social proof and trust: A skilled attacker uses correct internal terminology, mentions the name of a real colleague, references a recent project, or demonstrates knowledge of internal processes — all gathered during the reconnaissance phase. The more the attacker appears to belong, the more the target's guard drops. This is why OSINT-based targeting is so effective.

The main attack types

Social engineering encompasses a broad range of attack vectors, each suited to different targets and situations:

• Phishing: Mass email campaigns impersonating trusted brands — banks, Microsoft, HMRC, delivery companies. The most common initial access vector in reported breaches. Credential harvesting pages and malware delivery are the two primary objectives.
• Spear phishing: Targeted phishing that uses OSINT to personalise the attack. The email references the target's name, role, recent activity, or specific colleagues. Dramatically higher success rates than generic phishing.
• Vishing: Phone-based social engineering. The classic scenario: "This is IT support calling. We detected suspicious activity on your account. I need to verify your identity — can you confirm your current password?" Real organisations never ask for passwords over the phone. Most employees don't know that.
• Smishing: SMS-based phishing. Delivery notification lures ("Your parcel is held — click to reschedule"), bank security alerts, and two-factor authentication bypass attempts via text message.
• Pretexting: An elaborate constructed backstory to justify a request. "I'm the new contractor from [vendor name]. I'm on site today setting up the new [system]. The usual contact isn't available — could you let me into the server room?" The pretext is built from reconnaissance; the more detailed and accurate it is, the more convincing.
• Baiting: Leaving USB drives in car parks, lobbies, or desks labelled "Payroll 2024" or "Redundancy List." Human curiosity is a reliable vector. When the drive is plugged in, malware executes automatically. Studies consistently find high plug-in rates for dropped drives.
• Quid pro quo: Offering something of value in exchange for access or information. "I can fix the printer issue you reported last week — I just need your login so I can access the print server remotely." A small, immediate benefit is exchanged for significant access.

Defending against social engineering

Technical controls alone cannot defeat social engineering. The defence must operate at the human layer. Four controls are most effective when implemented together:

• Security awareness training with phishing simulations: Regular, realistic simulated phishing campaigns using tools like GoPhish measure click rates across the organisation and provide immediate education to employees who click. Over time, this measurably reduces susceptibility. Training without simulation is significantly less effective — people learn most from realistic, contextual experience.
• Multi-factor authentication (MFA): Even when social engineering successfully captures credentials, MFA prevents those credentials from being used for access. A compromised password is useless to an attacker who cannot also pass the second factor. MFA is the single most impactful technical control for mitigating the risk of social engineering success.
• Strict IT verification procedures: Any request for account access, password resets, or privilege changes received via phone or email should require verification via a separate, known channel — calling back on a number from the official directory, not the one provided by the caller. This single procedural control would have prevented the MGM breach entirely.
• A culture of "verify, don't trust": Employees need to be explicitly empowered to question unusual requests, even from apparent authority figures, without fear of being seen as obstructive. Security culture is set from the top: if leadership models sceptical behaviour and never pressures employees to bypass security steps, the human layer becomes significantly more resistant.

Social engineering in CEH v13

Module 9 of CEH v13 covers the complete social engineering lifecycle: the psychology of manipulation, all attack vectors from phishing to baiting, the tools used in authorised engagements (including GoPhish for phishing simulation campaigns), and — critically — the techniques for training employees to resist these attacks. Understanding how to conduct an authorised social engineering assessment is a core competency for ethical hackers and red team operators.

The ability to run a credible phishing simulation, measure results, and translate findings into a practical security awareness improvement programme is a skill that directly improves organisational security posture in a way that no technical patch can. It is also a highly valued commercial service: organisations that understand they cannot patch human behaviour increasingly pay specialist firms to test and improve it.