At its core, social engineering is not a cyber attack. Instead, social engineering is all about the psychology of persuasion: It targets the mind like a con man. The aim is to gain the trust of targets, so they lower their guard, and then encourage them into taking unsafe actions such as divulging personal information or clicking on web links or opening attachments that may be malicious.
Most cyber attacks don’t start with someone hacking a system. They start with someone convincing a real person to make a mistake. That’s what social engineering in cyber security is all about.
In simple terms, social engineering is when attackers manipulate human behaviour rather than breaking through technical defences. Instead of cracking passwords or exploiting software, they rely on trust, urgency, fear, or curiosity to get someone to click a link, share information, or approve access they shouldn’t. And because it targets people, not machines, it’s often far more effective than you’d expect.
This matters now more than ever. Individuals are dealing with convincing scam emails, fake delivery messages, and phone calls that sound completely legitimate. Organisations face even bigger risks, from data breaches to financial loss and reputational damage, all triggered by one well-timed message or call.
As systems get more secure, attackers increasingly look for the easiest route in. That route is actually human.
Here, I’ll be breaking down how social engineering works in practice, why it’s so hard to stop, and why understanding it is becoming a must-have skill in modern cyber security.
If you already have a general understanding of how cyber threats work, this guide builds on that foundation. If you need a quick refresher first, it’s worth starting with our overview of what cyber security is before going deeper here.
Read