cyber revision

Social engineering and phishing

Attacking the human: the psychological levers, the phishing family, and why people are the most exploited part of any system.

~4 min read

The unpatched vulnerability

Social engineering is manipulating people into breaking security (revealing credentials, running malware, granting access) rather than breaking technology. It dominates real incidents because it sidesteps every technical control: no firewall stops an employee who is persuaded to hand over their password. The human is the one component you can't simply patch, which is why training and process matter as much as technology.

The psychological levers

Effective social engineering exploits predictable human tendencies. Recognising the lever is how you (and trained staff) spot the manipulation:

  • Authority: people comply without questioning apparent authority figures. "This is IT / your CEO / the police." A fake message from the boss telling finance to pay an invoice.
  • Urgency / scarcity: pressure to act now short-circuits careful thought. "Your account will be closed in one hour." Urgency is the single most common tell in phishing.
  • Fear / intimidation: "We've detected illegal activity on your account."
  • Trust / familiarity: impersonating a colleague, a known brand, a friend.
  • Social proof: "everyone in your team has already done this."
  • Reciprocity / liking: doing a small favour first, or simply being charming, to lower defences.
  • Greed / curiosity: "You've won…", or a USB stick labelled "Salaries" left in the car park.

These map closely to Cialdini's principles of influence, and they're the why behind the techniques below.

The phishing family

Phishing is social engineering at scale, usually by email, to steal credentials or deliver malware. The variants differ by channel and targeting:

  • Phishing: broad, untargeted, sent to thousands ("Dear customer…").
  • Spear phishing: targeted at a specific person or organisation, personalised with researched detail and far more convincing for it.
  • Whaling: spear phishing aimed at senior executives ("big fish"), where the payoff (and their authority) is greatest.
  • BEC (Business Email Compromise): impersonating or hijacking an executive/supplier account to trick staff into transferring money or data. Low-tech, enormously costly, often involves no malware at all.
  • Smishing: phishing via SMS text.
  • Vishing: phishing by voice call (now supercharged by AI voice cloning).
  • Quishing: phishing using a QR code that leads to a malicious site, bypassing URL inspection.

Spotting phishing: mismatched or look-alike sender domains, urgency, unexpected attachments or links, generic greetings, requests that bypass normal process, and hovering a link to reveal a destination that doesn't match the text.

In-person and physical techniques

  • Pretexting: inventing a believable scenario or role to extract information ("I'm from the helpdesk, I need to verify your password").
  • Baiting: leaving malware-laden media (USB drives) where targets will find and plug them in, exploiting curiosity.
  • Tailgating / piggybacking: following an authorised person through a secure door, often by looking busy or carrying boxes so someone holds it open.
  • Shoulder surfing: observing someone enter credentials or a PIN.
  • Dumpster diving: recovering sensitive information from discarded paper or hardware.
  • Quid pro quo: offering a service ("free IT support") in exchange for access or information.

Why awareness is a real control

Because social engineering targets people, the controls are human and procedural, and they genuinely work:

  • Security awareness training and simulated phishing measurably reduce click rates over time.
  • Verification procedures for sensitive actions: call back on a known number before paying a changed invoice (BEC defence), enforce out-of-band confirmation. Process beats persuasion.
  • A blame-free reporting culture: staff who fear punishment hide their mistakes, so incidents are found late. Make reporting a suspected click easy and consequence-free; early reporting shrinks the damage.
  • Technical backstops: email authentication (SPF, DKIM, DMARC) to cut spoofing, link/attachment sandboxing, and crucially phishing-resistant MFA (FIDO2/passkeys), which protects the account even when the password is successfully phished.

The key insight: you cannot eliminate human susceptibility, so good security assumes phishing will sometimes succeed and limits the damage; MFA, least privilege, segmentation and monitoring mean one fooled employee isn't game over. Defence in depth applied to people.

Quick recall

  • Social engineering attacks people, not technology, bypassing technical controls. The human can't be patched.
  • Levers: authority, urgency/scarcity, fear, trust, social proof, reciprocity, greed/curiosity; urgency is the commonest tell.
  • Phishing family: phishing (broad) → spear phishing (targeted) → whaling (executives); BEC (impersonate to redirect payments); smishing (SMS), vishing (voice), quishing (QR).
  • Physical/in-person: pretexting, baiting (USB), tailgating, shoulder surfing, dumpster diving, quid pro quo.
  • Defences: training + simulations, out-of-band verification, blame-free reporting, SPF/DKIM/DMARC, and phishing-resistant MFA as the technical backstop.
PreviousNext