What is social engineering?

Q: Is phishing the same as social engineering?

Phishing is a specific channel. Social engineering is the broader category covering phone, in-person and web manipulation.

Q: How do I train myself to spot it?

When an urgent ask makes you stressed, stop and verify through a second channel.

Q: Can AI voice cloning make vishing worse?

Yes. Attackers clone a boss's voice from a few seconds of video to authorise fake wire transfers.

1What is social engineering?

Social engineering is the art of hacking humans. Instead of breaking into a system, the attacker manipulates a person into handing over what they want — credentials, money, a code, a badge. It is by far the most common initial access technique in modern breaches: cheap, fast, and immune to most technical defences. The best firewall in the world does nothing if your accountant is tricked into wiring funds to a fake supplier.

74%

Of breaches involve a human element (Verizon DBIR)

$4.88M

Average cost of a data breach in 2024

Cialdini's principles exploited by attackers

2The six levers attackers pull

Authority — "This is the CEO speaking"

People obey uniforms, titles and email signatures. CEO fraud and IT-helpdesk impersonation exploit this daily.

Urgency — "Before 5pm or the deal is off"

Artificial deadlines short-circuit the slow, careful side of your brain. If you feel rushed, that itself is a red flag.

Reciprocity — "I did you a favour, now…"

A free USB stick, a coffee, a helpful hand — then a small request that feels rude to refuse.

Social proof — "Everyone else on your team already did it"

If it sounds normal and others have complied, you probably will too.

Scarcity — "Only 3 spots left"

Fear of missing out overrides careful verification.

Liking — "We went to the same school"

Rapport building via shared interests lowers your guard.

Parse a suspicious email on mlab.sh

Use the mlab.sh EML parser to inspect headers, authentication results and embedded links before clicking.

Open EML parser

3Common scenarios

CEO fraud / BEC

A "CEO" emails finance asking for an urgent wire transfer to a new supplier. Costs companies billions every year.

IT helpdesk impersonation

"Hi, I'm from IT — we detected suspicious activity on your account, can you read me the code you just received?"

Tailgating

A friendly person with hands full asks you to hold the door to a secure area. You do, out of politeness.

Fake recruiter

A LinkedIn recruiter with a dream job sends you a "skills assessment" that contains malware.

Social engineering FAQ

Is phishing the same as social engineering?

Phishing is a specific channel (email/SMS). Social engineering is the broader category covering phone, in-person and web-based manipulation.

How do I train myself to spot it?

Build one habit: when an urgent ask makes you feel stressed, stop and verify through a second channel — phone a known number, walk to the colleague's desk. Urgency is the tell.

Can AI voice cloning make vishing worse?

Yes. Attackers now clone a boss's voice from a few seconds of LinkedIn video to authorise fake wire transfers.

Related Modules

Recognizing a phishing link

Techniques for detecting fraudulent URLs that mimic legitimate websites.

Smishing and vishing explained

SMS phishing (smishing) and voice phishing (vishing): the phone-based scams that bypass your spam filter.

Analyzing a suspicious email

Dissecting email headers to identify phishing and spoofing attempts.