According to several statistics, humans remain the biggest security weakness within companies. Take, for example, the Sony cybersecurity incident in 2014, where massive amounts of corporate data were leaked. Among the stolen files, the movie Fury was even released online before its official premiere. Investigations later revealed that an employee had unknowingly downloaded malware from a phishing email.

Another well-known case is the 2020 Twitter Hack, where attackers used social engineering to manipulate employees and gain access to high-profile accounts belonging to people like Elon Musk, Barack Obama, and other public figures.

Definition

If we had to give a simple definition of social engineering, without overcomplicating things or relying on technical jargon:

Social engineering is the art of manipulation, where attackers exploit human psychology to gain access to sensitive data or to push someone into taking a specific action.

How It’s Used

Social engineering is often used by penetration testers to assess how resistant a company is to attacks, but it’s also heavily exploited by cybercriminals. The core idea is always the same: play with human psychology to extract sensitive information or trick someone into making an insecure decision. The methods can range from phone calls, emails, and social media messages, to direct in-person interactions.

For example, a penetration tester might contact a new employee while pretending to be part of the IT team or even a manager, in order to collect login credentials or convince them to open a malicious attachment. New employees are frequent targets because they’re not yet fully familiar with internal procedures and are more likely to trust someone who appears legitimate.

Ironically, pentesters owe much of their work to hackers themselves. By exploiting human weaknesses to steal sensitive information, cybercriminals create the very demand for professionals who test and strengthen security systems. The Sony 2014 breach and the 2020 Twitter Hack are clear reminders of this. Without cybercriminals, pentesters would probably have far less to do.

How Does It Work?

Social engineering is rooted in psychology and human behavior. Psychologist Robert Cialdini highlighted six principles of influence that are frequently exploited: reciprocity, commitment and consistency, social proof, authority, liking, and scarcity. Let’s break down a few of them:

Reciprocity

People tend to return a favor when they receive one. Attackers might provide something small, a document, a tip, or even a gift, that creates a sense of obligation. The victim then feels compelled to “give back,” which might mean clicking a link or running malicious software.

Social Proof

This is the classic “everyone else is doing it, so I will too.” It’s widely used in phishing scams and online fraud. For example, if an attacker makes it look like thousands of people have already signed up for an offer, the victim is more likely to follow along, thinking “if others did it, it must be safe.” Fake reviews and testimonials are another way this bias is exploited.

Authority

Humans are wired to obey figures of authority, whether it’s a manager, an IT administrator, a bank, or even the police. Cybercriminals use this by sending fake emails that appear to come from a boss, IT support, or an official institution. Victims often act quickly, without double-checking details like the sender’s email domain, because the supposed authority feels legitimate.

Liking

We trust people we like, find attractive, or feel similar to. A common trick is creating a fake LinkedIn profile that appears to work in the same field as the target. The attacker might start by liking posts, then sending a friendly message such as:
“Hey, I noticed we studied the same thing! Are you also working in IT?”
Once trust is established, they can share a so-called “interesting document” that actually contains malware.

Fear of Missing Out (FOMO)

Urgency and scarcity push people into making hasty decisions. Attackers exploit this by saying things like “Your account will be blocked within 24 hours” or “The first 100 sign-ups get a bonus.” Under time pressure, the victim reacts emotionally instead of rationally, making them more likely to fall into the trap.

Scarcity

We naturally value things that seem rare or exclusive. Social engineers exploit this by presenting offers as “limited-time only” or by labeling documents as “confidential.” The illusion of scarcity makes people act fast, often before they stop to think.

Sources

• https://www.scworld.com/news/95-of-data-breaches-involve-human-error-report-reveals

• https://fr.wikipedia.org/wiki/D%C3%A9tournement_de_comptes_Twitter_en_juillet_2020

• https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-private/aktuelle-themen/social-engineering.html

• https://www.ncsc.admin.ch/ncsc/en/home/infos-fuer/infos-private/aktuelle-themen/social-engineering.html