Social engineering is the art of manipulating people rather than systems. While organizations spend millions hardening their technical defenses, attackers increasingly bypass all of it by targeting the humans who operate those defenses. The $285 million Drift Protocol breach — executed over six months through fake professional identities, in-person conference meetings, and malicious code shared under the guise of collaboration — is one of the most dramatic recent examples. But social engineering attacks happen at every scale, from a single phishing email targeting an accounts payable clerk to a months-long infiltration of a DeFi protocol’s core team.
This guide explains how social engineering works, what the most common attack types look like in practice, and what individuals and organizations can do to reduce their exposure.
What Social Engineering Actually Is
Social engineering exploits human psychology rather than technical vulnerabilities. Attackers rely on a consistent set of psychological levers: authority (impersonating executives, law enforcement, or trusted vendors), urgency (creating time pressure that short-circuits careful thinking), familiarity (building rapport over time before making a malicious request), fear (threatening consequences for inaction), and reciprocity (doing something for the target first to create a sense of obligation).
The most effective social engineering attacks combine several of these levers simultaneously. A phone caller who identifies themselves as IT support, references a real colleague by name, creates urgency around a system outage, and asks for credentials is harder to resist than one who uses only a single tactic. Nation-state groups like UNC4736 spend months building legitimate-looking professional identities specifically because the depth of that relationship makes the eventual malicious request far more convincing.
Common Attack Types
Phishing is the most common form of social engineering. Attackers send emails designed to look like they originate from a trusted source — a bank, a colleague, a vendor, an HR system — and direct recipients to click a link, open an attachment, or enter credentials on a fake login page. Spear phishing is a targeted variant where the attacker researches the recipient specifically and personalizes the message to increase credibility. The Radiant Capital hack began with a spear phishing message on Telegram that impersonated a trusted former contractor by name.
Vishing (voice phishing) involves phone or video calls rather than email. Attackers impersonate IT helpdesk staff, bank fraud departments, government agencies, or executives. Deepfake audio and video technology has significantly increased the credibility of these attacks, with several documented cases of employees being deceived by AI-generated voice calls impersonating their own CEO.
Pretexting involves constructing a fabricated scenario to justify a request. An attacker might pose as a new vendor needing system access, an auditor requesting financial documents, or a job candidate asking technical questions that reveal infrastructure details. The pretexting operations run by UNC4736 are among the most sophisticated documented — complete with LinkedIn profiles, professional websites, employment histories, and months of genuine technical engagement before any malicious payload is delivered.
Baiting involves offering something enticing to lure a target into an action. This could be a USB drive left in a parking lot, a free software tool shared in a professional community, or a repository shared during a business discussion. Simply opening a file or cloning a repository can be enough to execute malicious code on the target’s device, as Drift Protocol contributors discovered when they interacted with what appeared to be a legitimate codebase shared by their supposed trading partners.
Business Email Compromise (BEC) is a financially motivated attack where an attacker compromises or impersonates a corporate email account to redirect payments, request wire transfers, or intercept financial transactions. BEC causes billions in losses annually and is one of the most financially damaging forms of social engineering. It frequently targets finance teams, accounts payable staff, and executives with payment authority.
Quid Pro Quo attacks offer something of value in exchange for information or access. A classic example is an attacker calling employees and offering IT assistance in exchange for their credentials. In more sophisticated operations, this manifests as offering free security tools, research reports, or professional opportunities that require the target to install software or share system details.
Red Flags to Watch For
No single indicator guarantees a social engineering attempt, but several patterns should trigger additional scrutiny. Unexpected urgency is one of the most reliable signals — legitimate requests rarely require bypassing normal processes. Requests that arrive through unusual channels, such as a vendor suddenly switching from email to WhatsApp, should prompt verification. Any request to bypass security controls, even temporarily, warrants skepticism regardless of who is asking. Unsolicited offers of tools, files, or access deserve particular caution in professional contexts. Pressure not to verify or discuss a request with colleagues is a strong indicator of manipulation.
In the context of business relationships, be alert to new contacts who show unusually detailed technical knowledge of your organization’s internal systems or processes — this may indicate prior reconnaissance. Requests to install software, clone a repository, or run a script from a new contact should be treated with the same scrutiny as a request from a stranger on the street.
Organizational Defenses
Technical controls matter but are insufficient on their own. Multi-factor authentication significantly reduces the impact of credential theft from phishing, though it is not foolproof — attackers can use adversary-in-the-middle proxies to capture MFA tokens in real time. Hardware security keys using FIDO2 standards are substantially more resistant to phishing than SMS or app-based codes and should be prioritized for high-privilege accounts.
Email security tools including DMARC, DKIM, and SPF authentication reduce the ability of attackers to spoof trusted domains. Email gateways that scan for malicious links and attachments catch a significant portion of commodity phishing. However, spear phishing campaigns from compromised legitimate accounts or carefully constructed lookalike domains frequently bypass automated filters, making human judgment the last line of defense.
Separation of duties and least-privilege access limits the blast radius of any single compromised account. No individual should have unilateral authority to approve large financial transactions, deploy software to production, or modify critical infrastructure. For organizations operating multisig governance systems, thresholds should be set high enough that compromising a small number of signers is insufficient — the Radiant Capital breach succeeded partly because a 3-of-11 threshold was too low for the value it protected.
Verification procedures for out-of-band requests are essential. Any request received through an unusual channel — a phone call asking for credentials, a text message requesting a wire transfer, a new contact sharing a file — should be verified through a separate, independently established communication channel before acting. Call the requester back on a number you looked up yourself, not one they provided.
For organizations that rely on external contractors, vendors, or integration partners, device security policies should extend to anyone with access to sensitive systems. The Drift Protocol attack succeeded by compromising the personal devices of contributors who shared access to governance infrastructure. Any device that can touch critical systems is a potential attack surface regardless of who owns it.
Training and Culture
Security awareness training is most effective when it is ongoing rather than annual and when it includes realistic simulated attacks rather than just theoretical instruction. Employees who have experienced a convincing simulated phishing email are better prepared than those who have only read about phishing in a policy document. Training should cover the psychological mechanisms behind social engineering, not just the technical signatures of malicious content.
Culture matters as much as training. Organizations where employees fear punishment for raising security concerns, or where reporting a suspected incident feels embarrassing, will consistently underperform organizations where security is treated as a shared responsibility. Employees should be explicitly encouraged to pause, verify, and escalate suspicious interactions without fear of being seen as obstructive. The cost of a false positive — a legitimate request being briefly delayed for verification — is always lower than the cost of a successful social engineering attack.
What to Do If You Suspect an Attack
If you believe you are being socially engineered, disengage from the interaction and do not provide any further information or access. Report the incident to your security team immediately, preserving any communications, files, or links involved. If you have already provided credentials or installed software, treat your device and accounts as potentially compromised and escalate immediately — do not wait to see if anything bad happens.
For organizations responding to a confirmed social engineering incident, assume the scope is broader than initially apparent. Social engineering attacks frequently target multiple employees simultaneously, and the goal of the initial compromise is usually to establish a foothold for a larger operation rather than to achieve the stated objective of the conversation.
