Psychological manipulation techniques that exploit human psychology — trust, fear, urgency, curiosity, and helpfulness — to trick people into revealing information, granting access, or performing actions that compromise security.
Social engineering is the art of manipulating people into taking actions that serve the attacker's objectives. Unlike technical attacks that exploit software vulnerabilities, social engineering exploits human psychology — our natural tendencies to trust authority, respond to urgency, help others, and follow social norms. It encompasses a wide range of techniques including phishing (email), vishing (voice/phone), smishing (SMS), pretexting (creating a fabricated scenario), baiting (leaving infected USB drives), and tailgating (physically following authorized personnel into secure areas).
In the ransomware kill chain, social engineering is the primary initial access method. Attackers may call IT helpdesks impersonating employees to reset passwords, send targeted phishing emails to finance teams with fake invoice approvals, or contact employees posing as IT support to install remote access tools. The sophistication of social engineering attacks has increased dramatically with AI-generated voice cloning, deepfake video calls, and large language models crafting personalized phishing emails at scale.
Defending against social engineering requires a combination of technical controls (email filtering, MFA, conditional access) and human controls (security awareness training, phishing simulations, verification procedures). The most effective organizations build a security culture where questioning unusual requests is encouraged, reporting suspicious communications is rewarded, and verification procedures for sensitive actions (wire transfers, password resets, software installations) are mandatory and consistently followed.