EXPLAINER

The role of social engineering in cybersecurity breaches

What is social engineering?

Social engineering is the use of manipulation to make people do something that helps an attacker. In cyber security, that often means tricking someone into clicking a link, entering credentials, opening an attachment, approving a login, sharing information, transferring money or changing a process.

Phishing is the best-known form of social engineering, but it is not the only one. Social engineering can happen through email, phone calls, text messages, collaboration platforms, social media, fake support requests, supplier impersonation or even in-person interaction. The method changes, but the underlying principle is the same: the attacker uses context, pressure and trust to create a believable reason for the victim to act.

This is why social engineering is so persistent. It does not always need to defeat a technical control directly. It can work around it by persuading someone with legitimate access to open the door.

How social engineering leads to breaches

Social engineering often plays a role at the start of an incident. An attacker may send a convincing email that captures credentials, use a fake login page, persuade a helpdesk to reset access, impersonate a supplier, or trick someone into running malware. Once inside, the attacker may use legitimate accounts and normal tools, making detection harder.

Credential theft is one of the clearest examples. If an attacker obtains valid login details, they may not need to exploit a technical vulnerability immediately. They can sign in, explore systems, search for sensitive information, create persistence, or attempt to escalate privileges. If multi-factor authentication is weak or poorly implemented, the attacker may also use push fatigue, session theft or helpdesk manipulation to get around it.

Business email compromise and payment fraud show another route. In these cases, the attacker may not need malware at all. They exploit relationships and business processes, using convincing messages to request bank detail changes, urgent payments, invoice approval or document access. The breach is not only technical. It is procedural.

Why social engineering works

Social engineering works because it fits around normal work. People are expected to read messages, open documents, join calls, approve requests and respond quickly. Attackers exploit that reality. They use urgency, authority, familiarity, fear, curiosity and routine business pressure.

A badly written scam email is easy to laugh at. A targeted message based on a real project, a real supplier, a real executive and a real deadline is much harder to judge. Attackers can gather information from websites, LinkedIn, procurement notices, press releases, out-of-office messages and breached data. The more context they have, the more natural the request can appear.

AI has added another layer by making it easier to create polished messages, translate content, personalise lures and produce convincing impersonation material at scale. That does not mean every social engineering attack is sophisticated. Many are not. But it does mean organisations should avoid relying on spelling mistakes and clumsy wording as their main warning signs.

Why blaming users does not work

Many organisations still frame social engineering as a user awareness problem. Training has a place, but it is not a complete defence. No employee can scrutinise every message with the intensity of a forensic investigation and still do their job. Some malicious messages will get through, and some people will click.

A more mature approach is to assume that people will sometimes make mistakes and design controls around that reality. That means making it harder for malicious messages to reach users, easier for people to report suspicious activity, harder for a click to become a major incident, and faster for the organisation to respond when something happens.

This also means treating reporting as a positive signal. If people fear blame, embarrassment or punishment, they may delay reporting. In a real incident, delay helps the attacker. A healthy reporting culture is not soft. It is operationally useful.

How to reduce social engineering risk

Reducing social engineering risk requires layered controls. No single measure is enough, but together they make attacks harder to deliver, harder to exploit and easier to contain.

• Use email authentication controls such as SPF, DKIM and DMARC to reduce domain spoofing.
• Apply strong multi-factor authentication or passkeys, especially for privileged and remote access.
• Limit privileges so one compromised account cannot reach more than it needs to.
• Create simple, well-publicised reporting routes for suspicious messages and mistakes.
• Use secure verification processes for payment changes, sensitive data requests and account resets.
• Monitor for unusual sign-ins, impossible travel, privilege changes and abnormal data access.
• Reduce unnecessary public information that attackers can use to personalise attacks.
• Run training that helps people understand tactics without shaming them for mistakes.
• Prepare incident response playbooks for credential compromise, phishing and business email compromise.

The goal is resilience rather than perfection. Social engineering cannot be eliminated, but its impact can be reduced. The strongest organisations make it difficult for attackers to succeed even when a message looks convincing.

---

FAQs

---