Most people picture hacking as someone in a dark room furiously typing commands at a terminal, breaking through firewalls with obscure exploits. The reality is far less cinematic — and far more unsettling.
In 2025, social engineering was the leading initial access vector across incident response cases, accounting for 36% of all breaches investigated by Unit 42. Not unpatched software. Not zero-days. People. Specifically, convincing people to do things they shouldn’t.
That’s social engineering. And it works because no amount of technical security can fully protect against a well-crafted lie.
What Social Engineering Actually Is
Social engineering is the art of manipulating people into giving up information or access that they shouldn’t. It bypasses firewalls, antivirus software, and intrusion detection systems entirely — because it doesn’t attack the technology. It attacks the person using it.
The attacker’s toolkit isn’t code. It’s trust, urgency, authority, and fear. These are psychological levers that have worked on humans long before computers existed. Hackers just found efficient ways to scale them.
The Techniques — How Each One Actually Works
Phishing
The oldest trick in the book, and still the most common. You get an email that looks legitimate — your bank, your employer, a delivery company — and it asks you to click a link or enter your credentials. The link goes somewhere that looks real. You type your password. It’s gone.
What makes modern phishing dangerous isn’t the technical sophistication. It’s the research behind it. Attackers spend time studying their targets — checking LinkedIn profiles, company websites, social media. Then they craft emails that reference real projects, real colleagues, real internal terminology. That specificity is what makes people click.
In December 2024, U.S. defense contractors were targeted using real conference speaker lists. Attackers posed as event organizers and sent malicious calendar invites. The emails were convincing because the information in them was real.
Pretexting
Pretexting is building a fictional scenario — a pretext — to extract information or access. The attacker becomes a character: an IT support technician, a new employee, an auditor, a vendor.
The MGM Resorts breach in 2023 started here. Attackers found an employee’s name on LinkedIn, called the IT help desk pretending to be that person, and talked their way into getting credentials reset. No malware. No exploit. Just a phone call and a convincing story. The damage eventually reached over a billion dollars.
Pretexting works because help desk staff are trained to be helpful. When someone calls sounding stressed and explaining they’re locked out before an important meeting, the instinct is to solve the problem — not interrogate the caller.
Vishing (Voice Phishing)
Phone-based attacks. An attacker calls pretending to be from your bank’s fraud department, your company’s IT team, or a government agency. They create urgency — your account has been compromised, you need to verify your identity immediately — and the pressure of the live conversation makes people comply before they’ve had time to think.
In 2025, AI-generated voice cloning made this significantly more dangerous. Attackers can now clone someone’s voice from a few seconds of audio found online and use it to impersonate that person on calls. A finance employee at a multinational firm transferred $25 million after joining a video call with what appeared to be senior executives — all of whom were AI-generated deepfakes. Every face, every voice, fabricated.
Baiting
Leave a USB drive in a car park labelled “Q3 Payroll” or “Executive Salaries.” Someone finds it, plugs it into their work computer out of curiosity, and the malware on the drive runs automatically.
This sounds too simple to work. It works constantly. Curiosity is a powerful instinct and most people don’t think twice about plugging in a found drive.
Quid Pro Quo
An attacker calls around an organisation posing as IT support, offering to fix a problem the employee didn’t know they had. In exchange for letting the “technician” remote in or run a script, the employee gets their supposed problem solved. The attacker gets access to the machine.
This exploits the human tendency toward reciprocity. Someone does you a favour — even an unsolicited one — and you feel obligated to return it.
Why It Works So Well in 2025
Three things have made social engineering dramatically more effective recently.
The first is publicly available information. LinkedIn, company websites, social media, data breach dumps — attackers can build a detailed profile of a target before ever making contact. The more specific and accurate the pretext, the harder it is to question.
The second is AI. Phishing emails used to be easy to spot because the grammar was broken and the tone felt off. Now AI can generate flawless, natural-sounding emails at scale, personalised to each recipient. Voice cloning can replicate someone’s speech patterns from a few seconds of audio. Deepfake video has progressed to the point where real-time fabrication of faces is possible in video calls.
The third is speed. Verizon’s data shows the median time between a phishing email arriving and a user clicking it is under 60 seconds. The time from clicking to entering credentials is another 28 seconds. Social engineering attacks are designed to prevent deliberate thought. Urgency is manufactured precisely because a calm person asks questions.
What It Looks Like From the Inside
Here is a realistic scenario that plays out regularly in organisations.
An attacker spends two days researching a target company. They identify the name of the IT manager from LinkedIn. They find the company’s email format from a public breach database. They send an email to a junior employee from a spoofed address that matches the IT manager’s name, explaining that there’s a mandatory security update that needs to be installed before end of day, with a link to download it.
The email looks right. The name is right. The urgency is plausible. The employee clicks, installs what they think is a security patch, and has just handed the attacker persistent access to their machine.
No vulnerability was exploited. No firewall was breached. One person made a reasonable-seeming decision in 60 seconds and the entire network is now at risk.
How to Recognise an Attack
The patterns are consistent once you know what to look for.
Manufactured urgency is almost always present. “Act now,” “immediately,” “before end of day,” “your account will be suspended” — these phrases are designed to push you into action before reflection.
Unexpected contact is a signal. Your bank calls you out of nowhere asking to verify details. An IT technician emails asking you to run a script. A vendor you don’t recognise requests access. Legitimate organisations don’t operate this way.
Requests that bypass normal process are a major red flag. Real IT teams have ticketing systems. Real HR departments don’t request bank detail changes over email without verification. Any request that asks you to skip the normal procedure is worth questioning.
Impersonation of authority figures. Attackers frequently impersonate executives, IT staff, or external authorities because people are conditioned to comply with authority without questioning it.
The Bottom Line
Social engineering remains effective because it exploits something that can’t be patched — human psychology. The urgency, the trust in authority, the desire to be helpful, the curiosity about a found USB drive — these are features of being human, not bugs.
Understanding how these attacks work is the first real defence. The moment you recognise the pattern — someone creating urgency, requesting unusual access, claiming authority, asking you to bypass a normal process — you have the ability to pause and verify instead of comply.
That pause is what attackers are trying to prevent. Don’t let them.