Social engineering is the manipulation of people to divulge information, perform actions, or grant access that they would not normally permit. The category includes phishing (email-based), vishing (voice-based), smishing (SMS-based), pretexting (in-person or remote impersonation), tailgating (physical-access social engineering), and the broader umbrella of “human exploitation” attacks. Documented in Verizon DBIR as a contributing factor in over 60% of confirmed breaches across multiple years.
What it means in practice
The structural property of social engineering: technology-side defenses do not address it directly. The phishing-resistant authentication (FIDO2 hardware keys, passkeys) defeats credential-stealing phishing but does not defeat the call where the attacker convinces the IT help desk to reset the user’s account. The corporate firewall does not defeat the contractor who tailgated through the security door behind a legitimate employee. The structural defenses are operational: authentication procedures that survive social pressure (the help desk that demands callback verification regardless of the caller’s urgency claim), physical-access controls that survive politeness (the receptionist who stops the unbadged person regardless of the suit they are wearing), and a culture where reporting suspicious contact is rewarded rather than penalized.
Who is targeted, and by whom
Targets cluster by leverage. IT help desks (the access path to many accounts; the 2023 MGM and Caesars breaches both started with social engineering of the help desk via Scattered Spider operators). Executive assistants (the proxy for the executive’s identity; the BEC fraud category targets this consistently). New employees (less institutional knowledge to recognize the social-engineering attempt; the first 90 days of employment is the documented vulnerability window). Sales-floor staff with system access (large attack surface; targeted by Scattered Spider and similar). Operators: organized cybercrime groups specializing in social engineering at scale (Scattered Spider being the most documented English-language example; equivalent groups operate in Russian and Chinese language ecosystems), and individual operators in BEC and romance-scam contexts that scale less but extract per-incident more.
What you can change today
Three actions. First, build the personal procedural rule that survives pressure: any inbound contact requesting account changes, password resets, or sensitive information requires a callback to a known number (the number on your statement, the number on the company website, not the number provided by the caller). The rule applies to your bank, your employer, your IT help desk, and any other context. Second, recognize the urgency signal as a tell: legitimate processes can usually wait 10 minutes for verification; social-engineering pressure is structurally about preventing the verification step. Third, talk through the attack patterns with your household and your work team; the cultural defense (everyone knows what social engineering looks like) is the structural defense that survives the moment when the individual encounters the attack.
