What is social engineering?

How does social engineering work?

While social engineering attacks can take many forms, they typically follow a predictable process. Understanding how these attacks unfold is critical for recognizing and preventing them—especially in business environments, where the cost of a successful scam can be high. Below are the four key stages most social engineering tactics follow:

1. Research the target

Before launching an attack, cybercriminals gather information about their target—often using public sources like social media, company websites, or press releases. This phase helps attackers craft believable messages or interactions tailored to specific individuals, teams, or departments.

In targeted spear phishing campaigns, this research can include employee roles, recent company news, supplier relationships, or even the tools and software the company relies on daily—enabling attackers to imitate legitimate communication from trusted platforms. The goal is to build a profile that makes the attack feel legitimate and relevant.

2. Build trust

Once they understand their target, attackers begin to engage—often posing as trusted figures like executives, clients, or IT support, or even automated system notifications from platforms employees regularly use, such as HR or payroll systems. This is where social engineering becomes especially effective in a B2B context, as employees may not question messages that appear routine or urgent.

These social engineering tactics are designed to bypass technical controls by appearing human and harmless. A well-crafted phishing attack, for example, might include the correct branding, tone, and context to avoid suspicion.

3. Exploit emotions

Emotion is a powerful tool in social engineering scams. Attackers often create a sense of urgency, fear, or authority to push people into acting quickly—before they have time to think critically.

An employee might receive an email warning of a suspended account or a missed payment, prompting them to share sensitive information or click on a malicious link. The goal is to bypass judgment by triggering a fast, emotional response.

4. Extract information or access

The final stage is action. Once trust is established, and the victim is emotionally triggered, the cybercriminal makes their move—asking for credentials, financial data, direct system access, or prompting the download of malicious files.

This is where data breaches often begin. Whether through login portals, infected attachments, or malicious websites (as in watering hole attacks), the attacker collects what they need and disappears—often undetected until it’s too late.

Signs of social engineering attacks

While social engineering tactics vary, they often leave behind recognizable red flags. Educating employees to notice these signs can help stop an attack before it succeeds.

Here are the most common warning signs of a social engineering attempt:

• Unusual urgency or pressure. Most social engineering attacks invoke panic or urgency. Be wary of messages that demand immediate action—especially those involving payments, credentials, or account resets.
• Unfamiliar sender or contact method. If a request comes from an unknown email address, phone number, or social media account—even if it mimics a known name—it could be spoofed.
• Requests for sensitive information. No legitimate employee, vendor, or IT technician should ask for passwords, MFA codes, or system access through email or chat.
• Too good to be true offers. If a free download, prize, or unexpected refund seems too generous, it probably is. These are often baiting tactics to lure users into downloading malware.
• Inconsistencies in tone or style. Does an email sound unlike the sender? Does it use strange grammar, formatting, or language that feels off? Even subtle differences can indicate fraud.
• Link mismatches or suspicious URLs. Hovering over a link can reveal a different destination than what's displayed. These are classic signs of phishing or spoofed websites.

Social engineering techniques

Understanding how social engineering attacks are carried out is essential to protecting your organization. Each method below represents a different tactic used by cybercriminals to manipulate people and gain access to sensitive information.

These are among the most common and dangerous types of social engineering:

• Phishing. Phishing is one of the most widespread social engineering attacks today. It typically involves deceptive emails, websites, or messages that appear to come from legitimate sources—such as banks, partners, or internal departments—and prompt users to click malicious links or provide sensitive information, like passwords or account details.
• Spear phishing. A more targeted form of phishing attack that focuses on specific individuals or organizations. Cybercriminals conduct detailed research on their victims to create highly convincing messages. In business environments, these social engineering tactics may reference real projects, executive names, or client data to appear credible.
• Baiting. It offers something appealing—such as free software, exclusive access, or even a physical USB drive—to trick users into downloading malware or entering sensitive information. These types of social engineering rely on curiosity and perceived value, often bypassing technical defenses by exploiting human behavior.
• Pretexting. In pretexting, the attacker invents a believable scenario (or "pretext") to build trust and extract information. For example, someone posing as IT support might call an employee, claiming they need login credentials to fix a system issue. These social engineering attacks are particularly dangerous because they often sound routine and harmless.
• Quid pro quo. Unlike baiting, which relies on passive temptation, quid pro quo attacks are conversational. For example, an attacker might call employees pretending to be from IT, offering assistance in fixing slow internet speeds—only to instruct them to disable security settings. The scam exploits helpfulness and willingness to cooperate, particularly in fast-paced work environments.
• Watering hole attacks. These compromise websites that are frequently visited by a specific group—such as employees in a particular industry or company. When users visit these trusted sites, malware is installed, or credentials are stolen. These social engineering attacks are stealthy, scalable, and hard to detect without proactive security monitoring.
• Vishing (voice phishing). Vishing uses phone calls instead of emails or websites to deceive victims. Attackers often impersonate bank representatives, IT staff, or even law enforcement to extract confidential information or persuade users to take harmful actions—such as installing remote access tools or confirming account details.
• Honeytrap attacks. In honeytrap social engineering, attackers use romance, flirtation, or seduction—often through online platforms—to lure targets into sharing sensitive information or performing risky actions. This method is more common in espionage, but has been used in corporate settings as well. By building personal trust over time, honeytrap attackers can manipulate victims into exposing company secrets, installing spyware, or giving access to internal systems.
• Business email compromise (BEC). While related to phishing, BEC deserves its own mention. In these attacks, cybercriminals spoof or compromise executive or vendor email accounts to request fraudulent wire transfers or sensitive data. These messages are typically well-researched, precise, and lack malicious links—making them hard to detect. In 2024 alone, BEC cost companies billions worldwide. The success of these scams hinges on trust in email identity and urgency to act, especially in finance and procurement teams.

Examples of social engineering

The following four real-life examples of social engineering highlight how attackers exploit trust, impersonation, and urgency to launch attacks that lead to breaches or financial losses. They show why organizations need strong technical defenses and educated, vigilant teams:

1. Sony Pictures hack (2014)

Attackers used spear phishing emails (masquerading as Apple) to deceive Sony executives into installing malware. The result: over 100 TB of internal data—including unreleased films and sensitive information—was leaked.

2. Twitter Bitcoin scam (2020)

Cybercriminals carried out a coordinated social engineering attack on Twitter employees, gaining internal tool access via phone spear phishing. They then commandeered verified accounts—including public figures—to promote a Bitcoin scam and stole at least $120,000.

3. M&S and Co‑op password reset scam (2025)

Groups like Scattered Spider deceived help-desk staff at Marks & Spencer and the Co‑op by impersonating employees requesting password resets and using SIM‑swapping. The result: millions in lost profit and significant breaches of sensitive information.

Beyond headline-making breaches, countless smaller incidents occur daily—often unreported but equally damaging. From invoice fraud to fake vendor updates, these quieter attacks erode trust, drain resources, and distract teams. Recognizing that social engineering doesn’t always look dramatic is crucial to building a culture of constant vigilance across all departments.

How to prevent social engineering attacks

Understanding what is social engineering is only the first step—prevention is where real protection begins. While technical defenses are important, stopping social engineering attacks requires addressing the human element behind most breaches. Here are five core prevention strategies for businesses:

• Educate employees. Security training empowers employees to recognize and respond to social engineering attacks before damage is done. Regular, scenario-based training helps reinforce good habits—like hovering over links, verifying email addresses, and reporting anything suspicious. Awareness of red flags—such as urgent requests, unfamiliar senders, or out-of-context messages—is essential across every department, not just IT.
• Use enterprise-grade security solutions. Solutions like NordLayer’s Enterprise Browser provide controlled, secure access to company resources—reducing the attack surface for phishing and watering hole attacks.
• Verify requests before acting. Encourage a company-wide culture where double-checking is expected, not optional. If an urgent request involves money, credentials, or system access, employees should confirm it through a second channel—like a direct call or internal messaging tool. Cybercriminals often exploit rushed decision-making, so building in a moment of pause can stop attacks cold.
• Block malicious sites automatically. Threat protection solutions, including Web Protection, prevent users from accessing domains known for phishing, malware, or other deceptive behavior. This adds a critical layer of defense, especially when attackers rely on spoofed websites to carry out social engineering attacks.
• Block malicious downloads automatically. Even the most cautious employee might unknowingly download a malicious file. Download Protection acts as a safety net—scanning downloaded content in real time and preventing harmful files from reaching the device. If a threat is detected, the download is stopped, and the administrator is notified, ensuring fast containment and reducing the window for attacker action.
• Enforce strong access controls. While they may not prevent a social engineering attack from occurring, they play a crucial role in minimizing damage if one succeeds. Network segmentation, role-based access, and ZTNA (Zero Trust Network Access) policies ensure that even if an attacker gains entry, their access remains limited—containing the threat to isolated environments instead of the entire system. This layered approach helps protect sensitive data and critical infrastructure from lateral movement within the network.

Final thoughts

Cybercriminals don't need to break through firewalls if they can simply manipulate people. That’s the fundamental risk social engineering represent—a growing threat that exploits human trust rather than technical flaws.

NordLayer helps organizations build resilient defenses against these attacks by combining proactive tools and intelligent network controls. With features like DNS Filtering, Web Protection, Download Protection, malware detection, and our upcoming Enterprise Browser, businesses can prevent access to malicious online content or files before employees even have a chance to engage with it. Paired with network monitoring solutions—such as NordLayer’s Activity Logs and Visibility tools—administrators can track device and user connections in real time, detect anomalies early, and respond swiftly in the event of a breach.

For companies committed to secure remote access, enforcing least-privilege policies and Zero Trust principles ensures tighter control over every connection point. The result? A more alert workforce, a stronger attack perimeter, and fewer opportunities for cybercriminals to exploit.

To learn how NordLayer can help strengthen your business against social engineering attacks, get in touch with our team.