.png&w=384&q=75){kind=small}
What is Social Engineering?
Social engineering is the practice of manipulating people into giving up confidential information or taking actions that compromise security. Instead of breaking through firewalls and encryption, attackers exploit trust, authority, urgency, and helpfulness — basic human instincts that no software patch can fix. It is the foundation of nearly every major breach.
How a Social Engineering Attack Works
Gather intelligence on the target
The attacker collects information about the organization's people, processes, and culture from public sources — enough to sound like an insider.
Establish trust or authority
They contact the target posing as someone with a legitimate reason to ask: IT support, a vendor, a new executive, or even law enforcement.
Exploit a psychological trigger
The request leverages urgency ("this needs to happen before end of day"), authority ("the CEO asked me to call you"), or helpfulness ("I'm locked out and have a client presentation in 10 minutes").
Extract what they need
The target provides credentials, disables a security control, approves an exception, or transfers funds — believing they're doing the right thing.
Real-World Example
An attacker called a company's help desk, identified themselves as a remote employee by name (found on LinkedIn), cited the correct department and manager, and convinced the technician to reset their password. The attacker had never worked at the company but knew enough publicly available details to pass every verification question.
How AiVERSARY Detects Social Engineering Risk
AiVersary's OSINT reports reveal the raw material social engineers use: employee names, roles, reporting structures, personal interests, and organizational patterns that are publicly visible. By showing you exactly what an attacker can learn about your people without ever touching your network, the report helps you close the information gaps that make social engineering effective.
Is your organization exposed to social engineering?
AiVERSARY scans your public footprint and identifies the exact data attackers would use against you. $499 per report.
Get Your Threat ReportRelated Terms
Pretexting
Pretexting is when an attacker creates a fabricated scenario — a "pretext" — to trick someone into sharing information or performing an action they normally wouldn't. Think of it as method acting for criminals: they invent a believable character and situation, then play that role convincingly enough to bypass your team's natural skepticism. The quality of the pretext depends entirely on how much real information the attacker can gather beforehand.
Vishing
Vishing — short for "voice phishing" — is when attackers use phone calls instead of emails to manipulate people into sharing sensitive information or taking harmful actions. Phone calls create a sense of immediacy and personal connection that emails can't match, and they bypass all of your email security filters. With AI voice cloning now widely available, attackers can even impersonate specific people your team knows and trusts.
Spear Phishing
Spear phishing is a targeted email attack where criminals research a specific person and craft a message designed just for them. Unlike mass spam, these emails reference real details about your job, your colleagues, or recent company events to appear legitimate. They are the number one way attackers breach organizations today.
Whaling
Whaling is a form of phishing that specifically targets senior executives — the "big fish" in an organization. These attacks are highly personalized, well-researched, and designed to exploit the authority and access that come with leadership positions. Because executives can authorize large transactions, access sensitive data, and override security procedures, a single successful whaling attack can have catastrophic consequences.