In plain English
Social engineering attacks target people, not technology. Phishing, vishing, smishing, pretexting, and tailgating are all forms of social engineering. Because they exploit human instincts — trust, authority, fear, urgency — they are often more effective than technical attacks, and no amount of patching will stop them. Security awareness training and robust verification processes are the primary defences.
Full definition
Most successful breaches do not start with a exploit. They start with a phone call, an email, or a conversation in a car park. Social engineering is the practice of manipulating people into doing something they otherwise would not: resetting a password, wiring funds, or granting remote access to someone who sounds authoritative.
The tactics follow predictable patterns. Urgency pushes people to act before thinking ('your account will be suspended in two hours'). Authority stops people questioning the request ('I'm calling from Microsoft support'). Familiarity builds false trust by referencing real names or recent events pulled from LinkedIn or a company website. Attackers mix these together and adapt in real time based on how the target responds.
Technical controls cannot block a determined social engineer who gets a staff member on the phone. The only practical defence is training people to recognise the patterns, slow down, and verify through a separate channel. At IronSights, our covers these scenarios with real examples. An employee who has seen the playbook once is far harder to manipulate than one who has only read a policy document.
