Cyber security: Social engineering basics
What is social engineering?
At its root, social engineering is exploiting human nature. Humans are innately trusting, and they frequently try to assist others in order to prevent conflict. Taking advantage of our social trust in order to accomplish any form of harmful objective is a key part of social engineering.
Social engineering generally falls into four attack vectors:
Phishing (email-based)
Vishing (voice/phone-based)
Smishing (text-based)
Physical (in person)
To cover each of these attack routes in depth would require a separate blog post. For the purposes of this article, we’ll focus on social engineering from a physical perspective.
Physical social engineering strategies
When targeting individuals during a physical breach attempt, several strategies and phases are commonly used:
Using a pretext – creating a story to add legitimacy
False identity – posing as an employee, maintenance worker, contractor, or visitor from another office
Redirection/distraction – shifting the target’s attention away from your actions
Subversion of the mind – verbally manipulating individuals to obtain information
Piggybacking/tailgating – following another person closely to gain access through a secured entry, such as a card-reader-controlled door
De-escalation techniques – calming situations or individuals, such as an irate security guard
How a typical physical breach works
In the pretexting phase, attackers often spend hours researching a company before attempting a physical breach. They may browse social media platforms like LinkedIn, Facebook, YouTube, and Instagram to learn about company culture, employees, uniforms, or badges. Satellite imagery or publicly available building layouts can also help create a credible pretext. Sometimes, attackers even call the company directly to gather additional information through subversion or impersonation.
Once on-site, attackers may observe personnel and traffic patterns, staff meeting spots, and access or exit doors. This helps identify opportunities for tailgating or piggybacking into secure areas. Common tactics include using redirection or distraction (e.g., pretending to be on the phone), carrying objects like boxes or donuts to avoid using a card reader, or politely letting others go ahead to appear credible.
How to protect your business
Educate employees and staff
Teach your team about security best practices. Your employees are often the first line of defense, particularly for physical security. Ensure they know how to contact building security if needed. Encourage security personnel to introduce themselves to staff so employees feel comfortable reaching out.Maintain regular security awareness
Attacks like these are becoming more frequent, especially as more people return to the office. A once-a-year presentation is no longer sufficient. Communicate security awareness materials regularly, using multiple channels. Suggestions include:Informative emails
Posters in communal areas
Reminder cards near entry and exit doors to discourage tailgating
Clear, consistent, and repeated messaging helps build a security-conscious culture and reduces the risk of social engineering attacks.
