Social Engineering Tactics and Defenses
How attackers exploit human psychology to bypass technical controls, the most common social engineering techniques, and how to build resilience.
Last updated Apr 7, 2026Current
Continue your mission
How attackers exploit human psychology to bypass technical controls, the most common social engineering techniques, and how to build resilience.
Social engineering is the manipulation of people into performing actions or divulging confidential information. It exploits human psychology, specifically trust, urgency, fear, and helpfulness, rather than technical vulnerabilities. No firewall, encryption, or endpoint protection can prevent a user from voluntarily handing their credentials to an attacker who asks convincingly.
Social engineering is involved in the majority of successful breaches. Verizon's Data Breach Investigations Report consistently shows that the human element is a factor in over 70% of incidents.
Authority: People comply with requests from perceived authority figures. An email appearing to come from the CEO requesting an urgent wire transfer bypasses normal approval processes because employees hesitate to question leadership.
Urgency: Time pressure overrides careful thinking. "Your account will be locked in 30 minutes unless you verify your credentials" pushes people to act before they assess.
Reciprocity: If someone does something for you, you feel obligated to return the favor. An attacker might provide helpful information before asking for access or credentials.
Social proof: People follow the behavior of others. "Your colleagues have already completed this verification step" makes the request feel normal and safe.
Familiarity and liking: People are more likely to comply with requests from someone they know or like. Attackers build rapport before making their actual request.
Phishing uses fraudulent emails to trick recipients into clicking malicious links, downloading malware, or entering credentials on fake login pages. Spear phishing targets specific individuals with personalized content drawn from social media, company websites, or previous breaches.
Vishing (voice phishing) uses phone calls. An attacker might call posing as IT support, asking the user to "verify" their password or install remote access software for "troubleshooting."
Smishing uses SMS text messages with malicious links, often impersonating delivery services, banks, or government agencies.
Pretexting involves creating a fabricated scenario (pretext) to engage the target. The attacker might pose as a vendor, auditor, new employee, or building maintenance worker to gain access to systems or physical spaces.
Baiting offers something enticing, like a USB drive labeled "Salary Information Q4" left in a parking lot. When curiosity drives someone to plug it in, it installs malware.
Tailgating is a physical technique where an attacker follows an authorized person through a secured door without presenting their own credentials.
Security awareness training is necessary but insufficient on its own. Training should be ongoing, not annual, and should use realistic examples. Simulated phishing campaigns help employees practice identifying attacks in a safe environment. Focus on building the reflex to pause and verify rather than memorizing specific indicators.
Verification procedures are more effective than training alone. Establish out-of-band verification for sensitive requests: if someone calls claiming to be from IT, the employee hangs up and calls IT through the company directory. If an email requests a wire transfer, the employee confirms via a separate communication channel.
Reduce information exposure. The less attackers know about your organization, the harder it is to craft convincing pretexts. Review what your company website, social media, and public filings reveal about internal processes, org charts, and technology stack.
Technical controls complement human defenses. Email filtering, link scanning, MFA (which renders stolen passwords useless without the second factor), and conditional access policies all reduce the success rate of social engineering even when a user falls for it.
Eliminate blame culture. Employees who report suspicious interactions, even after falling for them, provide critical intelligence. If reporting leads to punishment, people stay silent and incidents go undetected.
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Wiki Team
Found an issue? Help improve this article.