Social engineering: psychological manipulation tactics in IT security

Even the world’s strongest firewall is useless if an attacker simply picks up the phone and asks an employee to bypass it. Social engineering exploits human psychology rather than technical vulnerabilities—and is therefore often more effective than any exploit.

Social engineering refers to the use of psychological manipulation techniques to get people to disclose information, perform actions, or grant access—without the victim realizing they are being manipulated.

The attacker Kevin Mitnick, once the most wanted hacker in the U.S., described it this way: "The easiest way into a secure network isn’t through the back door—it’s through the front door, if you know how to ask."

Social engineering is not a cyber-specific problem:

Scams ("grandparent scam") have existed for decades
Impostors and con artists operate using the same psychological principles
Industrial espionage has utilized social manipulation since the Industrial Revolution

In the cybersecurity context, social engineering is the starting point for:

Phishing campaigns of all kinds
BEC (Business Email Compromise)
Insider threat activation
Physical security bypasses
Credential harvesting

The psychological levers

Social engineers exploit fundamental human traits. Cialdini’s principles of persuasion serve as the foundational model:

1. Authority

People follow instructions from authority figures almost automatically—especially in hierarchical corporate structures:

"This is IT Security—we need your password to fix a critical error"
Email seemingly from the CEO: "Transfer €50,000 immediately for a confidential transaction"
Fake police officer or agency in a phishing context

Protection: Verify identity via an independent channel. Call back using the official number. No legitimate company asks for passwords over the phone.

2. Urgency/Scarcity

Time pressure shuts down critical thinking:

"You must act NOW, or your account will be locked"
"The server will go offline in 10 minutes—I need admin access immediately"
Deadline manipulation in BEC attacks

Protection: Pause and think. Unexpected urgency is always suspicious. Define processes that are followed even under pressure.

3. Liking

We help people we like or feel connected to:

An attacker researches LinkedIn and finds common interests
"I’ve worked with your colleague Thomas..."
Faking commonalities (same university, same hometown)

"Everyone else is doing it too":

"Your colleagues have already installed the security update—you should too..."
"The rest of the team has already granted us access..."

5. Reciprocity

People feel obligated to return favors:

The attacker first "helps" the victim with a small problem
Then the reward (access, information) is demanded
Baiting: USB drives as "gifts" at conferences

6. Consistency/Commitment (Commitment)

People want to be consistent with their previous statements and actions:

Small agreements lead to larger concessions (foot-in-the-door)
"You did confirm that...? Then it only follows that..."

Pretexting

Pretexting is the creation of a false scenario (pretext) to obtain information. Attackers assume a role:

IT technician: "We’re currently conducting a security audit—can you quickly confirm your username?"
New employee: Calls HR and tricks them into revealing company information
Supplier/service provider: Demands access to rooms under the guise of a fake service request
Journalist/Analyst: Obtains information under the guise of research

Preparation: Professional social engineers spend more time on research (OSINT) than on the actual attack. LinkedIn, Xing, company websites, press releases, and job postings provide the raw material.

Baiting

Baiting exploits human curiosity or greed:

USB drop: Prepared USB drives are left in parking lots, cafeterias, or at conferences. Labeled: "2025 Salary Schedule" or "Confidential: HR Documents." Studies show: 48% of found USB drives are plugged in.
Fake software download: "Free tool – download now" contains malware
Lottery win: Too good to be true, but people often click anyway

Tailgating / Piggybacking

Physical social engineering: An attacker follows an authorized person through a secured door without having their own access:

Holding coffee or packages → Employee holds the door open out of courtesy
Wearing work clothes or a company vest → Is not questioned
Enters the building with groups of people at lunchtime

Particularly at risk: Data centers, server rooms, production areas with sensitive machinery.

Quid pro Quo

"Something for something" – the attacker appears to offer something in return:

Systematically calls through the company directory using an "IT support" story
Offers to help with a problem
Asks for credentials "for verification"
Claims the problem has been resolved—and has gained access

Vishing (Voice Phishing)

Social engineering attack via telephone—already covered in the phishing article, but focusing on the social component:

Maintaining a natural flow of conversation
Using internal jargon and abbreviations
Exploiting helpfulness and reluctance to embarrass someone

New and particularly dangerous: AI-generated voices and videos:

Deepfake call with a simulated CEO’s voice: $25 million in damages at a financial firm (2024, Hong Kong)
Video call with fake individuals (several confirmed incidents in 2024)
Voice cloning from just a few seconds of publicly available audio

Social engineering is an essential part of a red team engagement:

Typical scenarios:

Phishing campaign targeting selected employees
Vishing: Call to the help desk requesting a password reset
Physical break-in attempt using a fake service ID
USB drop on company premises

Legal requirement: Clear written authorization with a precisely defined scope. Social engineering without authorization is a criminal offense (computer fraud, trespassing).

Countermeasures

Security Awareness Training

The most important tool against social engineering is ongoing training:

Recognizing psychological manipulation techniques
Understanding processes for verifying unknown contacts
Reporting suspicious contact attempts without fear of consequences
Simulations with realistic social engineering scenarios

Realistic training scenarios:

Phishing simulation (email)
Vishing simulation (call from "IT support")
Physical simulation (stranger in the office without ID)

Organizational Controls

Identity Verification Procedures:

Callback process for unknown callers with unusual requests
Strict password reset processes (never over the phone without proof of identity)
Visitor management system with escorted access to the building

Employee Culture:

It is okay (and encouraged!) to approach unknown individuals
“I’m afraid I can’t let you through here” is not rude behavior
Report suspicious contacts immediately—no “it’s probably nothing”

Information Minimization:

Limit public company information to what is necessary
LinkedIn privacy settings for sensitive employees
No public organizational chart with responsibilities

Technical Controls

DMARC/SPF/DKIM: Prevents email domain spoofing
Caller ID validation: Be wary of displayed numbers (easy to fake)
Access control: Turnstiles, double doors, security personnel
USB port blocking: Prevents baiting attacks via USB

Social engineering can also be used to turn legitimate employees into insiders:

Compromise: Employees are pressured (blackmail, bribery)
Recruitment: Competitors or state actors specifically target employees
Ideological Conviction: Activists or politically motivated individuals

Social engineering is the entry point here—the actual risk is the compromised insider with legitimate system access.

Conclusion

Social engineering demonstrates why cybersecurity is never solely a technical problem. Attackers take the path of least resistance—and that is often the human element. A holistic security approach combines technical controls with a strong security culture: employees who are aware of psychological manipulation techniques, understand processes, and feel confident reporting suspicious activity.

What is social engineering?