Social Engineering: Definition and Compliance Guide

Social Engineering

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. In cybersecurity, it exploits human trust, authority, urgency, and helpfulness rather than technical vulnerabilities.

cybersecurityhuman factormanipulationawarenesssecurity training

Why It Matters

Technical security controls can stop most automated attacks, but they cannot protect against an employee who willingly hands over credentials or transfers money because they believe they're following instructions from their CEO. Social engineering is responsible for the majority of successful cyberattacks because it targets human psychology — trust, fear, urgency, and desire to help.

Common Techniques

Phishing — fraudulent emails that impersonate trusted entities (the most common form)
Pretexting — creating a fabricated scenario to extract information ("I'm from IT support, I need your password to fix your account")
Baiting — leaving infected USB drives in parking lots or offering free downloads
Tailgating/piggybacking — following an authorized person through a secured door
Quid pro quo — offering something (tech support, a prize) in exchange for information
Business Email Compromise (BEC) — impersonating a CEO or CFO to authorize wire transfers
Vishing — voice-based social engineering over phone calls
Watering hole attacks — compromising websites frequently visited by the target group

Psychological Principles Exploited

Social engineers exploit well-documented psychological triggers:

Authority — people comply with requests from perceived authority figures
Urgency — time pressure reduces critical thinking
Social proof — "everyone else has done this already"
Reciprocity — offering help first to create a sense of obligation
Fear — threats of account suspension, legal action, or job loss
Helpfulness — exploiting people's desire to assist

Real-World Impact

Business Email Compromise caused over $2.7 billion in losses in 2022 (FBI IC3)
The Twitter hack (2020) was executed entirely through social engineering — attackers called employees posing as IT support
RSA breach (2011) began with a phishing email containing a malicious Excel attachment

Prevention

Regular security awareness training — not just annual, but continuous with simulated attacks
Verification procedures — always verify unusual requests through a separate channel
Culture of healthy skepticism — make it safe to question and report suspicious requests
Technical controls — email filtering, MFA, call-back procedures for financial transfers
Physical security — badge access, visitor management, clean desk policy
Incident reporting — easy, blame-free reporting channels for suspicious activity

Social Engineering

cybersecurityhuman factormanipulationawarenesssecurity training

Why It Matters

Common Techniques

Phishing — fraudulent emails that impersonate trusted entities (the most common form)
Pretexting — creating a fabricated scenario to extract information ("I'm from IT support, I need your password to fix your account")
Baiting — leaving infected USB drives in parking lots or offering free downloads
Tailgating/piggybacking — following an authorized person through a secured door
Quid pro quo — offering something (tech support, a prize) in exchange for information
Business Email Compromise (BEC) — impersonating a CEO or CFO to authorize wire transfers
Vishing — voice-based social engineering over phone calls
Watering hole attacks — compromising websites frequently visited by the target group

Psychological Principles Exploited

Social engineers exploit well-documented psychological triggers:

Authority — people comply with requests from perceived authority figures
Urgency — time pressure reduces critical thinking
Social proof — "everyone else has done this already"
Reciprocity — offering help first to create a sense of obligation
Fear — threats of account suspension, legal action, or job loss
Helpfulness — exploiting people's desire to assist

Real-World Impact

Business Email Compromise caused over $2.7 billion in losses in 2022 (FBI IC3)
The Twitter hack (2020) was executed entirely through social engineering — attackers called employees posing as IT support
RSA breach (2011) began with a phishing email containing a malicious Excel attachment

Prevention

Regular security awareness training — not just annual, but continuous with simulated attacks
Verification procedures — always verify unusual requests through a separate channel
Culture of healthy skepticism — make it safe to question and report suspicious requests
Technical controls — email filtering, MFA, call-back procedures for financial transfers
Physical security — badge access, visitor management, clean desk policy
Incident reporting — easy, blame-free reporting channels for suspicious activity

Social Engineering

Why It Matters

Common Techniques

Psychological Principles Exploited

Real-World Impact

Prevention

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Compliance Glossary: Key Terms and Definitions 2026

CISO Roles and Responsibilities: The Complete Guide for 2026

Want more than the definition?

Social Engineering

Why It Matters

Common Techniques

Psychological Principles Exploited

Real-World Impact

Prevention

NIS2 Directive: Who Must Comply? The Definitive Guide to Scope, Sectors, and Obligations in 2026

Compliance Glossary: Key Terms and Definitions 2026

CISO Roles and Responsibilities: The Complete Guide for 2026

Want more than the definition?