What social engineering actually is
Social engineering is the category name for attacks on people rather than systems. Instead of finding a flaw in your firewall, the attacker finds a flaw in a Tuesday afternoon: a busy bookkeeper, a new hire eager to impress, a manager who doesn't want to question the boss. Then they impersonate someone trusted and ask for what they want — a payment, a password, a code, a door held open.
Why bother hacking when you can just ask? Every social engineering variant runs on the same small set of levers: authority (the CEO needs this now), urgency (the deadline is today), fear (your account will be suspended), helpfulness (IT just needs your code to fix the issue), and familiarity (Sarah from the vendor has emailed for years). None of these are character defects. They're the traits you hired for, pointed at you.
That's why the fix is never purely technical. You can't patch trust — but you can give it a procedure.
The six types you'll actually see
- Phishing. Bulk email built to harvest credentials or deliver malware — a fake Microsoft 365 login page, a "voicemail attached" lure, a shared-document notification. It's the highest-volume attack on earth because it costs nothing to send. The mechanics, and how to read a suspicious message, are in our phishing guide.
- Pretexting and business email compromise. The targeted, researched version: the attacker builds a believable story — a vendor with "updated banking details," an executive needing a confidential wire — often from inside a real compromised mailbox. This is the costliest variant by far: the FBI's Internet Crime Complaint Center logged $3.05 billion in BEC losses in 2025 across 24,768 complaints. The full anatomy is in our business email compromise guide.
- Vishing — including AI voice cloning. The phone call: a fake bank fraud department, a fake IT helpdesk asking the employee to read back an MFA code. The newer twist is that cheap, widely available tools can now clone a voice from a short audio sample — and an owner's voice is on the website video, the podcast interview, the voicemail greeting. A call that sounds exactly like the boss asking the bookkeeper for an urgent transfer is no longer science fiction; treat voice alone as zero proof of identity.
- Smishing. The same cons by text message: "It's [Owner's name] — I'm in a meeting, are you available? I need a favor" followed by a gift-card request, or fake bank and delivery alerts with credential-harvesting links. Texts feel personal and urgent, arrive on devices with no filtering, and new employees — whose hire date is on LinkedIn — get them within days of starting.
- Baiting and quid pro quo. Bait is a trap you pick up yourself: the USB drive in the parking lot labeled "Payroll," the free download that isn't. Quid pro quo offers a service for access: fake "IT support" calling to fix a problem you didn't have, needing your password to do it.
- Tailgating. The physical version: someone in a delivery uniform, arms full of boxes, following an employee through the badge-locked door. Once inside, they're an unattended-desk away from everything. Smaller offices skip this one mentally because "everyone knows everyone" — which is exactly the assumption being exploited.
The tells that repeat across all of them
Train people on these patterns rather than memorizing variants, because the variants change and the patterns don't:
- Manufactured urgency. Real requests survive a thirty-minute delay. Cons rarely do — pressure to act now is the single most reliable tell.
- Authority plus secrecy. "Don't loop anyone else in on this" is the sound of an attacker removing your safety net. Legitimate confidential matters still survive verification.
- A change to where money or credentials go. New bank details, new payment portal, a login page reached from a link rather than your bookmark.
- Channel switching. An email that wants to move to text, a text that wants a phone call, a call that pressures against email — attackers steer toward whatever channel has the least scrutiny and no record.
- A request to bypass normal process. Any version of "just this once, skip the usual steps" is the attack.
Why small businesses are the preferred target
Not because attackers are lazy — because the economics are excellent:
- Authority is concentrated. In a 12-person company, one impersonated owner can authorize anything, and everyone knows the owner's name from the website.
- Process is informal. Payments and password resets happen on trust and memory, so there's no procedure for an attacker to trip over.
- Everyone wears five hats. The person handling wires is also handling onboarding and the printer — divided attention is the attacker's accomplice.
- Helpfulness is the culture. Small teams pride themselves on responsiveness. "Reply fast and don't ask questions" is, unfortunately, also the attacker's ideal victim profile.
- There's no security staff. Nobody's watching sign-in logs or reviewing mailbox rules, so a foothold lasts for weeks instead of minutes.
The defense stack: process, training, backstops
Process — free, and does most of the work:
- Out-of-band verification for anything involving money or credentials. New payee, changed bank details, urgent wire, password reset request: confirm by a different channel using contact details you already had — never the number or link inside the request itself. This one habit defeats BEC, vishing, voice cloning, and smishing simultaneously; the payment-specific version is in our wire fraud guide.
- Dual approval over a threshold. Two humans on any transfer above a limit you pick. Urgency doesn't waive it — urgency is why it exists.
- A spoken code word for voice requests. Pick a phrase only your team knows, and require it on any phone or voice request involving money or credentials. It costs nothing, takes one meeting to set up, and it's the cleanest defense against voice cloning — a synthetic voice can imitate the boss's tone, but it can't know the word.
- A no-blame reporting culture. The person who says "I think I just clicked something bad" within five minutes is your best security asset. If reporting earns embarrassment or anger, employees will hide incidents, and hidden incidents are the expensive kind. Praise the report, every time, publicly.
Training — short, regular, and concrete:
Skip the annual hour-long compliance video. What works is ten minutes a month: a real example, the tell it contained, the habit that beats it. Phishing simulations help when run as practice; run as gotcha-and-punish, they teach people to hide mistakes — the precise opposite of what you need.
Cover new hires in week one, not at the next annual cycle. Their start date is public on LinkedIn, they don't yet know how the company normally communicates, and they're maximally eager to please — which is exactly why the fake-CEO gift-card text finds them first.
Technical backstops — for when the human layer slips, because it will:
- MFA everywhere, so a phished password isn't a usable password.
- Email filtering with impersonation detection, catching lookalike domains and display-name spoofing that generic spam filters miss.
- DNS filtering and EDR on every endpoint, so the bad click meets a blocked page or a contained process instead of a foothold.
The order matters: backstops limit damage, but they don't replace the verification habit. A company with perfect tooling and no callback rule still wires the money.
After a successful attack: the first hours
- Establish what was given up. A password, a code, money, remote access? Each has a different clock running.
- Credentials: reset the password, revoke all active sessions, check the mailbox for new forwarding rules and the account for changed recovery details. Assume the attacker did something with the access, then verify they didn't.
- Money: call your bank now and request a recall and a hold on the receiving account, then file at ic3.gov — the FBI's recovery process works best within the first couple of days. The full sequence is in the BEC guide.
- Preserve everything. Emails with full headers, texts, call logs, the fake invoice. It's evidence for your bank, your insurer, and law enforcement.
- Notify your insurer promptly — policies have real notification deadlines.
- Debrief without blame. Walk the team through the actual trick within days, while it's vivid. One person's bad afternoon becomes everyone's immunity — but only in a culture where they were safe to report it.
Social engineering will never be patched out of existence, because it targets the one system you can't update. But a team with a verification habit, a reporting culture, and decent backstops turns from the easiest target in town into a genuinely expensive one — and attackers, being economical above all, move on.