What Is Social Engineering: Types, Cases and Defence

Social engineering manipulates people into handing over information, performing actions or granting access. It's the main cause of most serious cybersecurity incidents in 2026, ahead of pure technical exploitation: Verizon DBIR attributes 70% of breaches to a human component, and IBM and Mandiant figures point in the same direction. The reason is structural: although technical defences keep improving, the psychological principles persuasion rests on have been stable for decades.

This guide explains what social engineering actually is, the six psychological principles it's built on (Cialdini's principles), the nine types appearing again and again in real investigations (phishing, spear phishing, whaling, vishing, smishing, BEC, pretexting, baiting, tailgating, quid pro quo, water-holing), essential documented cases (Twitter 2020, Uber 2022, MGM 2023, Scattered Spider campaigns), how a modern organisation defends itself and how all this fits NIS2, DORA, ISO 27001 and GDPR.

What social engineering is

Social engineering is the deliberate exploitation of how people make decisions under pressure, authority, urgency or curiosity to achieve an attacker's goal. The four defining properties:

1. Focus on the human, not the system. No technical vulnerability required. An organisation with the best tech can fall if a human gives up credentials.
2. Relatively low cost. A mass phishing campaign costs person-days; a targeted operation (Scattered Spider against MGM) costs weeks but delivers disproportionate impact.
3. Scalable and outsourceable. Phishing-as-a-service platforms (EvilProxy, Tycoon 2FA) allow sophisticated attacks with little technical skill from the operator.
4. Effective despite training. Even trained staff fall on 5-15% of well-designed simulations. Zero trust in humans is the base of modern defence.

What it isn't: pure technical exploitation (CVEs, exploits, configuration bypasses). Although most incidents combine both, they're distinct disciplines.

Cialdini's six principles

The most-used theoretical framework for understanding why social engineering works comes from Robert Cialdini's Influence: The Psychology of Persuasion (1984). The six principles the attacker exploits:

1. Authority

People obey authority figures without questioning. Impersonating the CEO, a direct manager, a police officer or an IT technician triggers fast response without verification. Email from the supposed CFO requesting an urgent transfer: classic BEC (Business Email Compromise).

2. Urgency and scarcity

Decisions taken under time pressure are evaluated worse. "Your account will close in 24 hours if you don't update", "last chance", "invoice overdue for 3 days". The attacker shortens the target's reflection time.

3. Reciprocity

Returning favours is wired into social behaviour. The attacker does a small favour (sends a useful document, offers a discount, gives valuable information) and then asks for something. The target feels they should reciprocate.

4. Commitment and consistency

If someone commits to something small, they tend to commit to bigger things in the same direction for consistency with their earlier self. The attacker starts asking little (confirm an email address) and escalates (request credentials).

5. Social proof

People do what they see others do. An email "80% of your colleagues have already completed the mandatory form" triggers response without reflection.

6. Liking

It's easier to give in to someone you like. Attackers invest time building rapport (LinkedIn warm-up, seemingly irrelevant conversations) before asking for what they want.

Almost every social engineering campaign combines two or three principles simultaneously. That's why they're so effective.

The nine main types

Recurring variants in real investigations.

Phishing

Mass email impersonating known entities (bank, cloud platform, parcel service) so the victim clicks a link, downloads a malicious attachment or enters credentials. Vector number one in cybersecurity incidents in 2026 and the broadest category.

Spear phishing

Targeted variant. The attacker researches the victim with OSINT (org chart, internal jargon, ongoing projects) and builds personalised emails very hard to distinguish from legitimate communication.

Whaling

Spear phishing against senior executives (CEO, CFO, financial leadership). Goal: million-euro transfers, access to strategic information. Usually combined with BEC.

BEC (Business Email Compromise)

Compromise of a real corporate account (not just impersonation). The attacker accesses the mailbox via stolen credentials or a token captured by AitM proxy, observes communication patterns for weeks and then sends payment instructions from the legitimate account at the right moment. The category causing the most direct financial damage per FBI IC3.

Vishing

Voice phishing. Phone calls impersonating IT technicians, banks, delivery services. Brutal 2024-2026 growth from generative AI adoption: voice deepfakes cloning the CEO in minutes from public audio.

Smishing

SMS phishing. Text messages with links or instructions. Combined with carrier or public service impersonation (Correos, Hacienda, INE). Especially effective on mobile because the full URL is rarely visible.

Pretexting

Building a plausible false identity and context to request information. Calling customer service posing as an employee needing a password reset, presenting as an external auditor at reception, impersonating a consultant with an active contract.

Baiting

Tempting the target with something attractive: USB "lost" in the corporate car park labelled "2026 salaries", ad for free download of popular software, fake job offer with attachment. Curiosity or desire trigger the behaviour.

Quid pro quo, tailgating, water-holing

• Quid pro quo: offering a service in exchange for something (an IT technician offering "help" in exchange for credentials).
• Tailgating: following someone with a physical badge through a corporate door (with a friendly face, busy, large package).
• Water-holing: compromising a website frequented by the target (sector site, professional forum) so the victim visits it and receives the payload.

Documented real cases

Essential public incidents to understand the state of the art.

Twitter Hack (July 2020). Teenagers gained access to Twitter's internal tools through vishing targeting employees. They pretexted as the IT team during phone calls. Took control of verified accounts of Obama, Biden, Elon Musk, Bill Gates and others for a Bitcoin scam. Low direct economic damage (~$120,000 collected), massive reputational damage for Twitter. Shows that vishing remains effective against large platforms.

Uber breach (September 2022). An 18-year-old attacker (attributed to Lapsus$) compromised Uber's internal network through MFA fatigue: spamming MFA approval prompts at a contractor until they accepted one. Once inside, they found hard-coded credentials in PowerShell scripts giving access to a Thycotic vault with AWS, GCP, Slack and GitHub secrets. Massive exfiltration of internal data. Lapsus$ confirmed authorship via Telegram.

MGM Resorts and Caesars Entertainment (September 2023). Scattered Spider (UNC3944) operation against two Las Vegas hotel chains in under a month. A 10-minute call to the helpdesk impersonating an employee, social engineering to get a credential reset, escalation to Active Directory, ransomware. MGM refused to pay and suffered $100 million in damage; Caesars paid approximately $15 million. Reopened the debate about helpdesk hardening and identity verification in internal support.

3CX supply chain (March 2023). What looked like a technical attack had a social origin: a 3CX employee downloaded a trojanised installer of Trading Technologies X_Trader (another compromised company). Example of a supply chain with a human initial vector.

Snowflake breach (May-June 2024). UNC5537 accessed multiple Snowflake client databases (AT&T, Ticketmaster, Santander, several others) using credentials stolen by infostealers from employees with access, without MFA enforced by some clients. Modern paradigmatic case: the "attack" was massive and devastating, the vector was an infostealer on an employee's personal endpoint.

Spear phishing campaigns against journalists and dissidents (ongoing, attributed to state actors). Operations documented by Citizen Lab and Amnesty with Pegasus, Predator and other spyware. The initial vector is almost always social: a convincing message with a link to an exploit page.

MFA Fatigue / MFA Bombing. 2022-2025 category. The attacker with a stolen password bombards MFA prompts until the user approves one out of tiredness, confusion or distraction. Successful vector against Cisco (2022), Uber (2022, via Lapsus$) and many more. Standard defence (TOTP, push) is vulnerable; FIDO2/WebAuthn closes it.

Deepfake CEO scam (2019 UK, first public case; recurring since 2022 with generative AI). Call with cloned CEO voice to the CFO ordering a transfer. Documented cases with six and seven-figure losses. The technical barrier has dropped drastically with commercial voice cloning tools.

How a modern organisation defends itself

The measures that actually close the door. Ordered by impact.

Phishing-resistant MFA

FIDO2 / WebAuthn / passkeys. Without this, everything else is window dressing. These technologies bind the signature to the real URL and are immune to phishing-as-a-service kits like EvilProxy or Tycoon 2FA that do defeat TOTP and SMS. Detail in JWT and security.

Helpdesk hardening and support procedures

The MGM 2023 case showed the weakest link in many organisations is the helpdesk. Formal procedures for password and MFA resets: video call with visual employee verification, callback to the number registered in HR, verification against security questions or documents. Without this, a good actor with OSINT takes any account.

AitM phishing detection

Platforms like Microsoft Defender for Cloud Apps, Okta ThreatInsight and identity-EDR (CrowdStrike Falcon Identity, SentinelOne Singularity Identity) identify logins from infrastructure known to belong to AitM kits (evilginx, Modlishka, EvilProxy).

Multi-layer email security

Email gateway with attachment sandboxing, URL analysis, strict DKIM/DMARC/SPF, external banner on emails from outside the domain. Microsoft 365 + Defender, Google Workspace + Advanced Protection, Proofpoint, Mimecast, Abnormal Security.

Role-specific training and drills

Minimum annual programme, with quarterly phishing drills, role-specific training (helpdesk, finance, executives), real metrics (percentage of staff that click, percentage that report, trend). General one-a-year training doesn't work.

A culture of "verify before acting"

Internal protocols that normalise calling via an alternative channel to confirm unusual financial requests. Internal communication that celebrates those who question, not those who execute quickly. Slogan "if it's urgent, suspect".

Easy reporting of suspicion

"Report phishing" button in the email client, dedicated Teams or Slack channel, SOC team that responds fast to the report. Users report when they see value; they stop reporting when they think it's useless.

Post-compromise impact limitation

Least privilege principle, network segmentation, universal MFA including internal surface, restricting privileged credential use to Tier 0 workstations. Makes an individual compromise not escalate to domain admin. Detail in Kerberos attacks.

Monitoring of own credential leaks

Have I Been Pwned, Spycloud, IntelX and similar alert when corporate credentials appear in leaks. Mandatory rotation + review of recent activity on detection.

Specific response plan

IR playbook for incidents with a social engineering vector: isolate the compromised account, investigate movement, communicate with legal and clients if applicable, honest post-mortem.

Compliance fit

Social engineering risk management appears in current frameworks:

• NIS2 (article 21). Mandatory awareness and training. Specific training for the management body is an explicit requirement.
• DORA (article 11). Digital awareness programmes and periodic training.
• ISO 27001:2022 (controls 5.1, 6.3, 7.3). Security policy, awareness, training.
• ENS Royal Decree 311/2022. mp.per measures (personnel management).
• PCI DSS v4.0 (req. 12.6). Formal awareness programme.
• GDPR (article 32). Technical and organisational measures. Training counts as an enforceable organisational measure.

Frequently asked questions

What's the difference between social engineering and phishing?

Phishing is a specific technique within the broader category of social engineering. Social engineering also covers vishing, smishing, BEC, pretexting, baiting and tailgating. Phishing is the most visible and high-volume implementation.

Does generative AI make the problem worse?

Yes, drastically. It reduces the cost of personalising spear phishing (an actor can generate credible emails for hundreds of targets in minutes), allows voice deepfakes for convincing vishing, automates the prior OSINT phase. The corresponding defence has to evolve: phishing-resistant MFA moves from "good practice" to "mandatory".

How much does a professional phishing simulation cost?

For a mid-sized company, KnowBe4, Cofense, Proofpoint Security Awareness and others offer platforms with per-user annual pricing. For custom targeted simulations with Red Team methodology, projects are contracted as one-off exercises. What matters isn't cost but frequency and template quality (identical simulations every month lose effectiveness).

Does phishing training work?

Yes, with a nuance: it reduces click rate from the initial 25-30% to a sustained 5-15% after 12-18 months of a serious programme. What doesn't work is expecting training to eliminate the problem; there will always be a percentage that falls. Technical defences (strong MFA, EDR, email security) are the safety net.

What exactly is Scattered Spider?

An English-speaking group (UK/US) specialised in phone social engineering against corporate helpdesks. Origin in young hackers from online communities with polished social skills. Evolved into an actor with affiliation to ALPHV/BlackCat and other ransomware operators. Paradigmatic case of social talent leveraged for organised cybercrime.

How do I report a phishing email I received at my company?

The most useful step is to forward it as an attachment (not inline, to preserve headers) to the corporate security mailbox or, where available, use the "report phishing" button in the email client. In companies without an internal team, INCIBE-CERT receives reports at https://www.incibe-cert.es.

Is there legitimate (authorised) phishing?

Yes, authorised internal simulations are standard practice. Run by the security team or a contracted provider. The difference is that after the click the user lands on an educational page, not a credential theft page. Without formal authorisation, launching simulated phishing is a crime (article 197 ter of the Spanish Penal Code).

Related resources

• What is ransomware: scenario where initial social engineering translates into mass encryption and extortion.
• What is OSINT: sister discipline the attacker uses before any targeted campaign.
• Kerberos attacks in Active Directory: how post-compromise impact gets contained at the identity layer.
• Red Team business guide: the exercise type that empirically validates defences against combined social engineering campaigns.

Social engineering defence at Secra

At Secra we address social engineering risk on three usual fronts: review of defensive technical configuration (phishing-resistant MFA, email security, identity-EDR, helpdesk hardening), Red Team exercises with controlled AitM phishing and vishing vectors to empirically validate detection and response, and design of a role-specific awareness programme with real metrics. The usual deliverable is a risk map with concrete priorities and documented drills. If your organisation still relies on SMS or TOTP MFA for privileged accounts, hasn't audited helpdesk procedures or has never empirically measured staff resistance to modern campaigns, get in touch via contact or check our Red Team service.