Social Engineering Scams: How Attackers Manipulate People to Breach Security

Posted: December 31, 1969 to Cybersecurity.

Social Engineering Scams: How Attackers Manipulate People to Breach Security

You can deploy the most sophisticated firewall on the market, encrypt every hard drive in your organization, and run continuous vulnerability scans across your entire network. None of it matters if an employee picks up the phone and reads their password to someone pretending to be from the IT help desk.

Social engineering is the art of manipulating people into giving up confidential information, performing actions, or granting access they should not. It is the oldest and most consistently effective attack vector in cybersecurity, and it is getting dramatically worse as artificial intelligence gives attackers new tools to scale their deception.

The numbers tell the story. According to the FBI's Internet Crime Complaint Center, business email compromise alone cost organizations over $2.9 billion in reported losses in 2023. Phishing was the most reported cybercrime category for the fifth consecutive year. And those figures only capture what gets reported. The actual losses are significantly higher.

Having worked in cybersecurity for over 23 years, I have seen social engineering evolve from clumsy Nigerian prince emails to AI-generated voice clones that perfectly mimic a CEO's speech patterns. I have also served as a certified expert witness in cases where social engineering was the root cause of breaches that destroyed businesses. The pattern is almost always the same: the technology was fine, but someone trusted the wrong person at the wrong moment.

The Seven Types of Social Engineering Attacks

Phishing

Phishing is the most widespread form of social engineering. Attackers send fraudulent emails designed to trick recipients into clicking malicious links, downloading infected attachments, or entering credentials on fake login pages. Modern phishing campaigns are highly targeted and convincing. They replicate the branding, tone, and formatting of legitimate emails from banks, software vendors, shipping companies, and internal departments.

Spear phishing targets specific individuals with personalized content. The attacker researches the target's role, colleagues, projects, and communication patterns, then crafts an email that appears to come from a trusted contact about a relevant topic. Whaling takes this further by targeting C-suite executives with messages that reference board meetings, acquisition discussions, or regulatory matters.

Vishing (Voice Phishing)

Vishing uses phone calls instead of emails. An attacker might call an employee claiming to be from the IT department, saying they need to verify the employee's credentials to resolve a system issue. They might impersonate a bank representative calling about suspicious account activity. They might pose as a vendor demanding immediate payment to prevent service disruption.

Vishing is particularly effective because phone calls create a sense of immediacy that emails do not. People feel social pressure to be helpful and responsive on a live call. They have less time to think critically about the request. And caller ID spoofing makes it trivial for attackers to display any phone number they choose.

Smishing (SMS Phishing)

Smishing delivers the same social engineering techniques through text messages. Attackers send SMS messages posing as banks, delivery services, government agencies, or employers with urgent calls to action: "Your account has been locked, click here to verify," or "Your package couldn't be delivered, update your address." The shortened URLs in text messages make it difficult to verify where a link actually leads before clicking.

Pretexting

Pretexting involves creating a fabricated scenario, a pretext, to engage the target and extract information. Unlike phishing, which often casts a wide net, pretexting usually involves extended interaction. An attacker might call an HR department claiming to be an employee who lost their badge and needs temporary building access. They might email the finance team pretending to be a vendor requesting updated payment information.

The effectiveness of pretexting depends on the attacker's research and acting ability. A well-constructed pretext includes verifiable details that build credibility: the name of a real manager, a reference to an actual project, a plausible reason for the request. The target feels they are dealing with a legitimate person in a normal business situation.

Baiting

Baiting exploits curiosity or greed. Physical baiting involves leaving USB drives, external hard drives, or CDs in locations where targets will find them: parking lots, lobbies, break rooms. The media is loaded with malware that executes when someone plugs it into their computer. Digital baiting offers free software, pirated media, or other attractive downloads that contain malicious payloads.

Tailgating and Piggybacking

Tailgating is the physical equivalent of a digital social engineering attack. An attacker follows an authorized person through a secured door without using their own credentials. They might carry an armful of boxes and ask someone to hold the door. They might wear a delivery uniform and walk in behind an employee who badges through. Once inside the physical perimeter, they have direct access to unlocked workstations, network ports, server rooms, and sensitive documents.

Quid Pro Quo

Quid pro quo attacks offer something in exchange for information or access. An attacker might call employees claiming to be from a software company conducting a survey, offering a gift card in exchange for answering questions that reveal technical details about the organization's systems. They might pose as tech support offering to fix a computer problem if the employee installs a "diagnostic tool" that is actually remote access malware.

The Psychology That Makes Social Engineering Work

Social engineering succeeds because it exploits fundamental aspects of human psychology. Understanding these principles is essential for building effective defenses.

Authority: People tend to comply with requests from perceived authority figures. An email appearing to come from the CEO, a phone call from someone claiming to be a federal investigator, or a message from "IT administration" all leverage the authority principle. Employees are conditioned to follow instructions from leadership and to cooperate with official-sounding requests.

Urgency: Creating time pressure short-circuits critical thinking. "Your account will be deactivated in 30 minutes," "This wire transfer must be completed before end of business," or "We need your credentials now to stop an active breach" all create urgency that pushes targets to act before they think. This is the single most common trigger in successful phishing campaigns.

Reciprocity: When someone does something for us, we feel obligated to return the favor. An attacker who helps an employee with a minor task builds rapport and goodwill that the employee may feel compelled to reciprocate, even if the subsequent request is inappropriate.

Social proof: People look to the behavior of others when uncertain. "All the other department heads have already completed this security update" makes the target feel they are behind and should comply without questioning the request.

Familiarity and liking: We are more likely to comply with requests from people we know and like. Attackers build rapport through small talk, shared interests, and friendly demeanor before making their real request.

Real-World Social Engineering: What It Actually Looks Like

The social engineering attacks that cause the most damage rarely resemble the examples in security awareness training slides. They are nuanced, patient, and specifically crafted for the target organization.

Consider a case we analyzed where an attacker compromised a small accounting firm by calling the receptionist and explaining they were a new employee starting the following Monday. They asked innocent questions about the office: where to park, what time the doors open, what the dress code is. Over three calls spanning a week, they learned the names of IT staff, the help desk phone number, the email format, and which software the firm used. Armed with this information, they called the actual help desk posing as the receptionist's colleague, requesting a password reset for an account they claimed was locked. The help desk complied.

In another case I reviewed as an expert witness, attackers targeted a manufacturing company's CFO with a business email compromise. They had monitored the CFO's email for weeks after compromising it through a phishing attack, learning the company's vendor relationships, payment schedules, and communication patterns. When the time came, they inserted themselves into an existing email thread about a legitimate invoice, changing only the bank routing number. The company wired $340,000 to the attacker's account. By the time anyone noticed, the money had been moved through three overseas accounts and was unrecoverable.

How Artificial Intelligence Is Amplifying Social Engineering

AI has fundamentally changed the social engineering threat landscape. What once required skilled human attackers can now be automated at scale with frightening quality.

AI-generated phishing emails eliminate the grammatical errors and awkward phrasing that once helped recipients identify fraudulent messages. Large language models can generate perfectly written, contextually appropriate phishing emails in any language, tailored to any industry, at any volume.

Deepfake voice technology allows attackers to clone a person's voice from just a few seconds of audio, often scraped from conference presentations, podcast appearances, or social media videos. Attackers have used cloned CEO voices to authorize fraudulent wire transfers over the phone. The employees who approved the transfers said the voice was indistinguishable from their actual CEO.

Deepfake video is following the same trajectory. While real-time video deepfakes are not yet perfected, they are advancing rapidly. Within the next few years, video calls from what appears to be your CEO or board member may be entirely fabricated.

This is a topic I have discussed extensively on the Encrypted Ambition podcast, where we have dedicated multiple episodes to how AI is reshaping the threat landscape. The core challenge is that AI eliminates the traditional signals people use to detect deception. Perfect grammar, natural speech patterns, and familiar voices used to indicate legitimacy. That assumption is no longer safe.

Building a Defense Strategy Against Social Engineering

Defending against social engineering requires a layered approach that combines technology, training, policy, and culture.

Technical Controls

Technology cannot stop social engineering entirely, but it can reduce the attack surface and catch many attempts before they reach their targets.

• Email filtering and authentication: Deploy DMARC, DKIM, and SPF records to prevent email spoofing of your domain. Use advanced email filtering that analyzes links, attachments, and sender behavior patterns. Sandbox suspicious attachments before delivery.
• Multi-factor authentication: MFA is the single most effective control against credential theft from phishing. Even if an employee enters their password on a fake login page, the attacker cannot access the account without the second factor. Use phishing-resistant MFA methods like FIDO2 security keys rather than SMS codes.
• Web filtering: Block access to known phishing sites and newly registered domains. Most phishing infrastructure uses domains registered within the previous 30 days.
• Endpoint detection and response: EDR solutions can detect and block malware delivered through social engineering, even if the employee clicks the link or opens the attachment.
• Call authentication: For high-risk transactions like wire transfers or account changes, establish callback verification procedures using known phone numbers, not numbers provided in the request.

Security Awareness Training

Training is essential, but it must go beyond annual checkbox exercises to actually change behavior. Effective security awareness programs include regular phishing simulations that test employees with realistic scenarios, immediate feedback when employees fall for simulated attacks, role-specific training for high-risk positions like finance, HR, and executive assistants, and ongoing reinforcement through newsletters, posters, and informal discussions.

The goal is not to achieve a zero percent click rate on phishing simulations. That is unrealistic. The goal is to build a culture where employees feel comfortable questioning unusual requests, even from authority figures, and where reporting suspicious activity is praised rather than punished.

Policy and Process Controls

Establish clear procedures for high-risk activities that cannot be bypassed through social pressure:

• Dual authorization for financial transactions: Any wire transfer, ACH payment, or vendor payment change requires approval from two authorized individuals through verified channels.
• Out-of-band verification: Any request to change payment information, reset passwords for privileged accounts, or grant emergency access must be verified through a separate communication channel. If the request came by email, verify by phone using a known number.
• Information classification: Employees should know what information is confidential, who is authorized to request it, and through what channels. If someone calls asking for employee Social Security numbers, the response should be refusal and escalation, regardless of who the caller claims to be.
• Visitor and access policies: Badge-controlled areas should enforce strict no-tailgating rules. Visitors should be escorted at all times. Employees should be empowered to challenge unfamiliar faces in restricted areas without fear of being rude.

What to Do When Social Engineering Succeeds

Despite your best efforts, social engineering attacks will occasionally succeed. Your incident response plan should include specific procedures for social engineering incidents.

If credentials were compromised, immediately reset the affected account's password, revoke active sessions, and review recent account activity for unauthorized actions. If a financial transaction was initiated, contact the bank immediately since there is a narrow window to recall wire transfers. If malware was installed, isolate the affected system from the network and initiate your endpoint incident response process.

Document everything. In cases where the social engineering leads to significant financial loss or data breach, the documentation becomes critical for insurance claims, law enforcement reports, and potential litigation. Organizations operating under compliance frameworks like HIPAA or CMMC may have mandatory notification requirements triggered by the incident.

The Human Factor Is Your Greatest Risk and Greatest Defense

Social engineering will continue to evolve. AI will make attacks more convincing. New communication channels will create new attack vectors. The fundamental vulnerability, our human tendency to trust, help, and comply, will remain constant.

But that same human element is also your greatest defense. Employees who understand social engineering, who have practiced recognizing it, and who work in a culture that rewards healthy skepticism, are remarkably effective at stopping attacks that no technology would catch.

At Petronella Technology Group, we help businesses throughout the Raleigh area and across the country build comprehensive defenses against social engineering. That includes technical controls, awareness training programs, policy development, and managed security services that catch what humans miss. With more than two decades of experience, including Craig Petronella's work as an expert witness analyzing how social engineering breaches unfold in legal proceedings, we bring a perspective that goes beyond theory into the reality of how these attacks succeed and how to stop them.

If you want to assess your organization's vulnerability to social engineering, contact us to discuss a security awareness assessment and training program.