What is social engineering?
Social engineering is when attackers manipulate people into doing something unsafe, such as sharing information, approving a payment, or bypassing a normal process.
Simple example
Someone phones a receptionist pretending to be from IT and asks them to approve a login prompt or reveal a temporary code.
Why it matters
Social engineering targets trust, pressure, helpfulness, and routine business processes rather than only technology.
Common warning signs
- The activity is unexpected or unusual for the business context.
- The request or system behaviour creates pressure to act quickly.
- Normal approval, verification, or security processes are bypassed.
- There are signs of unauthorised access, data exposure, or system change.
- Staff are unsure whether the request, message, or system behaviour is legitimate.
Cyber Doc view
This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.
What to do
Proactive steps
- Create clear verification steps for sensitive requests.
- Train staff to pause when requests feel urgent or unusual.
- Avoid sharing passwords, MFA codes, or internal details over phone or chat.
- Use approval workflows for financial or data-related decisions.
- Encourage staff to report suspicious interactions early.
Reactive steps
- Stop the interaction and do not provide more information.
- Record what was requested and how contact was made.
- Report the incident internally or to IT.
- Review whether any credentials, codes, or access were shared.
- Monitor affected accounts or systems for suspicious activity.
Related terms
- Phishing
- Vishing
- Spear phishing