Social Engineering Explained: The Human Hacking Behind Every Scam

Most breaches do not start by beating a computer. They start by fooling a person. How social engineering works, the psychology it exploits, the techniques from pretexting to deepfakes, and how to defend yourself.

The most reliable way into a secure system is not to defeat the technology. It is to fool the person who holds the keys. This is social engineering: the art of manipulating people into handing over information, money, or access. It is behind the majority of breaches, the multibillion-dollar wave of business fraud, and the scam that just landed in your messages. And artificial intelligence has made it more convincing than ever. Here is how the human hack works, and how to beat it.

On this page: What social engineering is · The six levers it pulls · The anatomy of an attack · The many forms it takes · How it defeats your defenses · The AI upgrade · Social engineering in the wild · How to defend yourself · If you have been caught out · How to report it, country by country · Watch: how social engineering works · Frequently asked questions · Sources

60%of all data breaches involve the human element, not just a technical flaw (Verizon DBIR 2025)

$3.0Blost to business email compromise in 2025, a pure social-engineering fraud (FBI IC3)

+442%surge in voice phishing between the first and second halves of 2024 (CrowdStrike)

$4.8Maverage cost of a breach that began with phishing, the top entry vector (IBM 2025)

What social engineering is

Social engineering is psychological manipulation used to make someone act against their own interest: clicking a link, approving a login, wiring money, or holding a door. It targets human judgement rather than software, which is why it works even against organisations with excellent technical defences. Verizon's 2025 research found the human element is involved in roughly 60 percent of all breaches. You cannot patch a person, and attackers know it.

The six levers it pulls

Social engineers rely on the same principles of influence the psychologist Robert Cialdini documented. Recognising them is the first defence.

Lever	How it is used against you
Authority	Posing as the boss, the bank, the police, or IT, so you comply without questioning.
Urgency and scarcity	"Act now or your account closes." Pressure shuts down careful thinking.
Social proof	"Everyone on your team has already done this," to make the request feel normal.
Reciprocity	A small favour or gift first, so you feel obliged to return it.
Liking	Friendliness and flattery, or a fake shared connection, to lower your guard.
Commitment	Getting a small "yes" first, then escalating to the real ask.

The anatomy of an attack

A serious social-engineering operation runs like a small intelligence project.

Research. The attacker gathers open-source information about you from social media, company sites and data leaks: your role, your boss, your vendors, your routines.
Pretext. They build a believable cover story and identity tailored to what they learned.
Engage and exploit. They make contact, build rapport or apply pressure, and steer you to the action they want.
Exit. They take the money, data, or access, and often cover their tracks so the fraud is not noticed until later.

The many forms it takes

Technique	What it is
Pretexting	Inventing a fake scenario or identity to extract information or access.
Phishing	Fraudulent messages impersonating a trusted entity, by email, and as smishing (text) or vishing (voice).
Business email compromise	Impersonating an executive or supplier to trigger a fraudulent payment. The costliest form.
Baiting	A tempting offer or a planted USB drive that delivers malware.
Quid pro quo	Offering a service, often fake "IT support," in exchange for access.
Tailgating	Following an authorised person through a secure door.
Scareware	Fake alerts that frighten you into installing malware or paying.
MFA fatigue	Flooding you with login-approval prompts until you tap one to make it stop.
Help-desk attacks	Calling IT support while impersonating an employee to get a password or MFA reset.

How it defeats your defenses

Modern social engineering is built to get around security tools, not just around you. The help-desk attack is now devastatingly effective: a criminal researches an employee, phones the IT desk impersonating them, and talks an agent into resetting the password or multi-factor authentication. The crew known as Scattered Spider used exactly this to breach MGM Resorts in 2023 with a roughly ten-minute phone call, and through 2025 it ran the same play against retailers, insurers and airlines. Voice phishing, the human end of this, surged 442 percent in the second half of 2024.

The AI upgrade

Generative AI has supercharged every stage. It writes flawless, personalised pretexts in any language, clones a voice from seconds of audio for fake "family emergency" calls, and now stitches together live video deepfakes. The landmark case is the engineering firm Arup, where in 2024 a finance worker paid out about 25.6 million US dollars after a video call in which every other participant, including the chief financial officer, was an AI deepfake. Microsoft reports AI-generated fake identity documents grew 195 percent in a year.

Social engineering in the wild

Case	When	What happened
MGM Resorts	2023	Attackers researched an employee on LinkedIn, then phoned the help desk impersonating them and gained admin access. Reported impact: around 100 million dollars.
Scattered Spider wave	2025	The same help-desk and voice-phishing playbook hit a string of major retailers, insurers and airlines.
Arup deepfake call	2024	A finance worker wired about 25.6 million dollars after a video meeting populated entirely by AI deepfakes.

How to defend yourself

Verify on a channel you trust. If a message or call asks for money, credentials or a change to payment details, hang up and call back on a number you already have, never the one provided.
Distrust urgency and authority. Pressure to act immediately is the single most common tell. Slow down; that is exactly what the attacker does not want.
Use phishing-resistant MFA. Passkeys and security keys cannot be relayed or reset by a smooth talker the way a password can.
Shrink your digital footprint. The less personal detail you post publicly, the less material an attacker has to build a convincing pretext.
Make verifying normal. In a team, callbacks for payment changes and strict help-desk identity checks should be routine, never seen as rude.

If you have been caught out

Change the affected password now, from a clean device, and anywhere you reused it.
Turn on MFA, ideally a passkey, on the affected accounts.
Call your bank at once if money or card details were involved; speed decides whether funds can be frozen.
Report it (see below) and watch for follow-on "recovery" scams that target people who were just defrauded.

How to report it, country by country

Reporting fast helps freeze stolen funds and shuts attacks down. Use the right channel for where you are.

Country	Where to report
United States	Report fraud to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov; forward phishing emails to [email protected] and spam texts to 7726.
India	Call 1930 at once for any financial fraud so banks can freeze the transfer, then file at cybercrime.gov.in.
United Kingdom	Forward suspicious emails to [email protected] and texts to 7726; report fraud at actionfraud.police.uk.
European Union	Report to your national CSIRT or police; many EU states run a local cyber-fraud or scam hotline.

Watch: how social engineering works

A short primer on the human side of hacking, from IBM.

Frequently asked questions

Is social engineering the same as phishing? Phishing is one form of social engineering, the most common one. Social engineering is the broader craft that also includes voice scams, pretexting, baiting, and in-person tricks.

Why does it work on smart people? Because it targets universal human instincts, trust, helpfulness, fear, and respect for authority, not intelligence. Under time pressure, anyone can be caught.

Can multi-factor authentication stop it? It helps, but attackers bypass weaker forms with MFA-fatigue prompts and help-desk resets. Phishing-resistant methods like passkeys are far harder to defeat.

How do I verify a suspicious request? Independently. Contact the person or company through a number or address you already trust, not the one in the message.

Been targeted or lost money? Acting in the first hour matters most. See our step-by-step reporting guides by country. In India, call 1930 or file at cybercrime.gov.in.