What Is Social Engineering in Cybersecurity? A Plain-English Guide
What Is Social Engineering in Cybersecurity? A Plain-English Guide
TLDR: Social engineering is the art of hacking humans, not systems. Attackers manipulate your employees into handing over access, credentials, or sensitive data — no malware required. An 18-year-old took down Uber in 2022 with a phone call. Twitter's entire platform was compromised in 2020 because a handful of employees were deceived. Technical defences like firewalls and antivirus software are essential, but they cannot protect you from a well-trained liar. The only real defence is a well-trained team.
The Breach That Started With a Phone Call
In September 2022, an 18-year-old hacker gained access to Uber's internal systems — not by deploying sophisticated malware or exploiting a zero-day vulnerability — but by calling an Uber employee, claiming to be from Uber's own IT department, and convincing them to share their VPN credentials.
Once inside, he had access to Uber's Slack, its AWS environment, its HackerOne vulnerability reports, and internal dashboards. All from a phone call.
No exploit kit. No advanced persistent threat. Just a teenager with a believable story and a confident tone.
This wasn't a fluke or a one-off. Few years earlier, in July 2020, a 17-year-old and two accomplices compromised Twitter's internal admin tools by targeting a small number of Twitter employees through a phone-based social engineering attack. They then hijacked the accounts of Barack Obama, Elon Musk, Apple, and Joe Biden to run a Bitcoin scam that netted over $100,000 in hours.
The common thread? Neither attack touched a single piece of security software. Both went straight for the weakest link — people.
What Social Engineering Actually Means
Social engineering, in the context of cybersecurity, is the use of psychological manipulation to trick people into making security mistakes or giving away sensitive information.
The term sounds clinical, but the concept is ancient. Con artists have been doing this for centuries. What's changed is the scale, the sophistication, and the stakes. Today, a single deceived employee can open the door to a company's entire infrastructure.
Where traditional hacking exploits software vulnerabilities, social engineering exploits human ones — things like trust, helpfulness, urgency, fear, and authority. Attackers study how people behave, what they respond to, and how organisations are structured. Then they craft stories — called pretexts — that feel completely plausible to the person on the receiving end.
The reason this works so well in corporate environments is that employees are trained to be helpful, to respond quickly, and to not question someone who sounds like they belong. These are good qualities. Attackers know that, and they use it.
The 6 Types of Social Engineering You Need to Know
1. Phishing
Phishing is the most common form and the one you've probably heard of. An attacker sends an email that looks like it's from a trusted source — your bank, your CEO, Microsoft, or a vendor — and tricks you into clicking a malicious link, downloading an attachment, or entering credentials on a fake login page.
What makes modern phishing so dangerous is the level of personalisation. Gone are the days of broken English and obvious red flags. Today's phishing emails are grammatically perfect, use your real name, reference actual company projects, and are timed to land when you're most likely to respond without thinking.
2. Vishing (Voice Phishing)
Vishing is phishing over the phone. The attacker calls an employee pretending to be IT support, a vendor, a bank, or even a senior executive. They use urgency ("Your account has been compromised, I need your credentials to reset it right now") to bypass rational thinking.
This is exactly what was used in both the Uber and Twitter attacks. A human voice carries an authority that an email simply doesn't, and most people are not trained to be sceptical of callers who sound confident and knowledgeable.
3. Smishing (SMS Phishing)
Smishing is the same attack delivered via text message. "Your parcel couldn't be delivered, click here to reschedule." "Unusual activity on your account, verify now." These messages feel personal and immediate, and people click links in text messages far more readily than in emails.
For businesses, smishing targeting employees' personal mobile numbers is increasingly common — especially when attackers are trying to bypass corporate email filters.
4. Pretexting
Pretexting is the construction of a fabricated scenario — a pretext — to extract information or access. An attacker might pose as an auditor who needs access to financial records, a new IT contractor who needs network credentials, or a journalist writing a story about the company.
The goal is to establish just enough credibility to get what they need. Pretexting attacks often involve significant research — attackers study LinkedIn, company websites, and social media to build a believable character before they ever make contact.
5. Baiting
Baiting relies on human curiosity or greed. The classic example is leaving USB drives labelled "Salary Information Q4" or "Redundancy List" in a company car park or reception area. An employee finds it, plugs it into their work computer out of curiosity, and unknowingly installs malware.
Digital baiting works similarly — fake free software downloads, pirated content, or "exclusive" files that are actually trojanised.
6. Tailgating (Physical Social Engineering)
Tailgating — sometimes called piggybacking — is when an unauthorised person physically follows an authorised employee into a restricted area. It often looks like someone carrying a large box who asks you to hold the door, or someone in a high-vis vest who looks like they belong.
This is not just a theoretical risk. Physical access to a server room, an unattended workstation, or even a printer can be enough to cause significant damage.
Why Your Technical Security Can't Stop This
Most businesses invest in firewalls, endpoint protection, email filters, and multi-factor authentication. These are all important and necessary. But they all operate on the same fundamental assumption: that the threat is coming from outside.
Social engineering breaks that assumption entirely.
When an attacker convinces your employee to disable MFA, approve a fraudulent bank transfer, or hand over their credentials willingly — your security tools see a legitimate login from a legitimate user. There is no alert. There is no anomaly. Everything looks normal, because as far as the system is concerned, it is.
The 2025 Verizon Data Breach Investigations Report found that 74% of all breaches involved a human element — whether it was social engineering, errors, or misuse. That number has stayed consistently high for years.
Technology secures systems. It cannot secure judgment.
Real-World Examples That Should Concern Every Business Leader
Uber, 2022. The attacker used a technique called MFA fatigue — repeatedly sending multi-factor authentication requests to the employee's phone until, frustrated and confused, they approved one. Combined with a convincing impersonation of Uber IT support, the attacker had full internal access within hours. Read more about the Uber breach here.
Twitter, 2020. A coordinated vishing attack targeted a small group of Twitter employees who had access to internal admin tools. The attackers were able to reset two-factor authentication on high-profile accounts. The damage was visible on a global stage within minutes. The full story from the BBC.
Barbara Corcoran, 2020. Even individuals with sophisticated advisors aren't immune. The Shark Tank investor lost nearly $400,000 when a scammer impersonated her assistant via email and approved a fraudulent invoice. The attack was so convincing that the wire transfer went through before anyone realised what had happened.
These aren't examples of companies with poor IT departments. These are organisations with real security budgets and dedicated security teams. The attacks succeeded because they targeted humans.
How to Actually Defend Against Social Engineering
The good news is that social engineering is one of the most defensible threats in cybersecurity — but the defence looks very different from deploying a new piece of software.
Build a culture of healthy scepticism. Employees should feel empowered to question requests that feel unusual, even if they come from someone who appears to be in authority. "Can I verify this through another channel?" should never feel like a career risk. A culture that punishes employees for raising questions is one that attackers will exploit.
Implement and enforce verification procedures. Any request involving financial transfers, credential resets, or access changes should require verification through a second channel. If someone calls claiming to be from IT and asks for your password, your policy should require you to hang up and call IT directly using a number from your internal directory — not the one the caller gave you.
Run regular, realistic security awareness training. Annual checkbox training is not enough. Employees need regular, scenario-based training that reflects the actual attacks being used today. They need to understand not just what phishing looks like, but why they're psychologically vulnerable to it — and how attackers use urgency, authority, and social proof to bypass rational thinking.
Conduct phishing simulations. The only way to truly understand how your team responds to social engineering is to test them in a controlled, consequence-free environment. Simulated phishing campaigns reveal exactly where your vulnerabilities lie — which departments click the most, who reports suspicious emails, and where training needs to be focused.
Establish a clear reporting mechanism. Employees who suspect they've been targeted by a social engineering attack need to know exactly who to call and what to do — without fear of blame. Speed matters enormously. The faster an incident is reported, the faster it can be contained.
Extend your thinking to physical security. Visitor management, access control policies, and employee training on tailgating are part of your security posture. An attacker who can walk into your server room doesn't need to hack your firewall.
How Kuboid Secure Layer Approaches This Problem
At Kuboid Secure Layer, we work with businesses that have invested in the right technical infrastructure but are beginning to realise that their people represent an unaddressed risk.
Social engineering assessments — sometimes called human-layer penetration tests — involve our team attempting to gain access to your systems, data, or physical premises using the same techniques that real attackers use. Phishing simulations, vishing calls, pretexting scenarios, even physical tailgating attempts. The goal is never to embarrass or blame your employees. It's to give you a clear, evidence-based picture of where your human risk actually sits, before an attacker finds it first.
From there, we work with organisations to build security awareness programmes that actually change behaviour — not just tick a compliance box. If you'd like to understand how your team would respond to a real social engineering attempt, reach out to us here.
Closing Thought
The most expensive security stack in the world cannot protect you from an employee who's been convinced they're doing the right thing. Social engineering works precisely because it looks nothing like an attack. It looks like a helpful colleague, an urgent request, or a routine call from IT.
The companies that take this seriously — that invest in their people the way they invest in their technology — are the ones that are genuinely harder to compromise. Not impossible, but harder. And in cybersecurity, harder is often enough.
Your firewall is a wall. But a door is still a door, and people hold the keys.
Kuboid Secure Layer provides cybersecurity services to businesses across industries. To learn more about our security assessment and awareness services, visit www.kuboid.in.