Social Engineering

AttacksHacking humans instead of systems

Article Written By: Srishti Bhattacharya

Article Designed by: Srishti Bhattacharya and Natasha Gumpula

What is Social Engineering?

Social engineering (IBM) attacks work their way to orchestrate individuals to part with information that they are not supposed to share, install software that they are not supposed to install, open web pages that they are not supposed to visit, send money to criminals, or commit other errors that jeopardize their personal or organizational safety.

Psychological premise of Social Engineering

Understanding how humans are exploited on the basis of their emotions.

Image by (63 SATS)

Some of the commonly used forms in social engineering are phishing, pretexting, baiting and tailgating. With the insight into such techniques, individuals and organizations can defend themselves against them with greater success.

Phishing:  Fraudulent emails or messages are sent by attackers, and they are created in such a way that they make the recipients expose sensitive information or even download malware.

Variants: Spear Phishing - Targeted at specific individuals or organizations.

               Whaling - Targets High-level executives.

               Smishing - Conducted via SMS.

               Vishing - Conducted via phone calls.

Pretexting: A hacker creates a fictional situation in order to win the trust of the victim and elicit personal or sensitive information.

Example - Contacting a person by impersonating themselves from tech support and requesting confirmation codes from unknown sources.

Baiting:  Scamming victims with an agreement of something enticing, like free software, or a prize, to install malware into their systems, or steal data.

Taligaiting: Hacking into restricted zones through trailing an authorized individual, mostly through courtesy. 

Example -  An intruder who is not carrying an ID badge can access a secure component by trailing a staff member.

There are various other forms in Social Engineering such as Quid Pro Quo, Impersonation, Watering Hole Attacks, Shoulder Surfing, Dumpster Diving, Honey Traps, Rogue Software, DNS Spoofing, Scareware.

Human Hacking vs System Hacking 

Pretexting and manipulation strategies.

Image by (Cybernx)

The pretext development and research.

Attackers collect information that is publicly available on the websites of corporations, LinkedIn, or even social media in order to understand how to create a convincing identity or scenario.

Psychological triggering

Messages are packaged to elicit certain responses like feeling of urgency (such as, your account will be terminated), fear ( such as, security alert detected); or command ( such as, imminent approval required by management).

The participation and exploitation

The target that receives then clicks an evil link in the email/ message, opens up an attachment, or shares credentials, and naively provides the attackers access.

Escalation and breach

Beyond using ransomware or stealing data, cybercriminals are able to implement unauthorized intrusions to infiltrate the network infrastructure and cause additional harm to it.

Real World Scenarios and Historical examples.

Industrial Espionage Methods (link)  -  There are widespread reports of former Soviet Bloc intelligence operatives acting as freelancers to the highest bidders, as well as foreign intelligence agencies refocusing their efforts on U.S. companies as opposed to the U.S. Government. These intelligence organizations bring their tried and true methods with them. Unfortunately, most corporate security managers are not aware of the threats and the methods they employ. Intelligence gathering methods are more effective on companies than they are on governments, because companies do not have the appropriate countermeasures in place.

Image by (Vigilfy)

Academic Research on Social Engineering

The human, organisational and adversarial characteristics of cyber threats are identified by systematising the knowledge on the Social Engineering Attacks (SEAs). It discusses the escalated security threats presented by SEAs that are very much applicable in the realm of physical cyber places such as traveller in airports and citizenry in smart cities, and generalizes the discoveries of peer reviewed studies, industry and government publications to guide its viable counterinterventions that can be integrated into the future smart cities.

References

Thomson, Scott, et al. "Social Engineering Attacks: A Systemisation of Knowledge on People Against Humans." (Cornell).

Pramono, Patricia A. “What Is Social Engineering?” Cisometric, Patricia A Pramono, 18 November 2025,(Cisometric). Accessed 18 January 2026.

uhayat. “Social Engineering – Exploiting Human Psychology.” Mind Classic, uhayat, 22 November 2024, (Mind Classic). Accessed 18 January 2026.

Siddiqi, Murtaza Ahmed, et al. “A Study on the Psychology of Social Engineering-Based Cyberattacks and Existing Countermeasures.” MDPI, 14 June 2022, (MDPI). Accessed 18 January 2026.

-Iyithihya Prakash

Contributing Author