Social engineering: how scammers manipulate people
Social engineering is the manipulation of people to make them perform an action or reveal information. It is the umbrella term for attacks where the target is the human: phishing, vishing, smishing, CEO fraud. Scammers use authority, urgency, fear, trust, reciprocity and curiosity — recognising the manipulation pattern itself protects you from any form.
Social engineering is the manipulation of people to make them perform an action or reveal information. It is the umbrella term for all attacks where the target is the human, not the technology: phishing, vishing, CEO fraud and others. Understanding the tactics themselves is useful, because then you recognise not a specific email but the manipulation pattern itself, whatever it looks like.
Six core influence tactics
- Authority
- Impersonating an executive, bank or institution so we avoid asking and checking.
- Urgency
- "By today", "final warning" — so there is no time to think.
- Fear
- A threat of a fine, account blocking or trouble at work.
- Trust and sympathy
- Impersonating an acquaintance, colleague or someone asking for help.
- Reciprocity
- First "helping" or giving something small, so you feel indebted.
- Curiosity and greed
- Prizes, "confidential" information, unexpected bonuses.
What an attack looks like in practice
A serious social-engineering attack often combines several channels. For example, the attacker learns the company structure from social media, then sends an email supposedly from an executive, and soon calls to "confirm". Each step alone looks convincing, and together they create pressure that is hard to resist without preparation.
How to recognise manipulation
- checkAsk yourself: why act right now and without the usual checks?
- checkBe suspicious when a request bypasses normal procedures ("just this once", "do not tell anyone").
- checkNotice strong emotions — fear, urgency, curiosity; that is a signal to pause.
- checkVerify the request through another channel, especially when money or access is involved.
How to protect your team
Antivirus does not protect against social engineering — an understanding team and clear processes that are followed even under pressure do. The key is to create a culture where asking and double-checking is normal and encouraged, not a nuisance. Regular simulations that imitate real tactics train exactly this reflex — Opsinel runs them and shows a short lesson right after a mistake.
Frequently asked questions
How is social engineering different from phishing?add
Social engineering is the broad term for manipulating people, while phishing is one of its forms via email. Vishing, smishing and CEO fraud also belong to social engineering.
Why do even smart people get caught?add
Because attacks target emotions and habits — urgency, authority, fear — not logic. Under time pressure critical thinking weakens, so it helps to have a pre-established habit of pausing.
How does a team protect itself?add
Combine clear processes (confirmation through another channel) with regular training and simulations, so the recognition skill stays alive rather than one-off.
What are examples of social engineering?add
A phishing email supposedly from a bank, a call from "IT support" (vishing), an SMS about a parcel (smishing), an urgent executive request to transfer money (CEO fraud) and a fake QR code (quishing).
Does social engineering always happen online?add
No. It can happen by phone, in person or even physically — for example, by posing as a courier or contractor to get into premises. The common thread is that a person is manipulated.