Social Engineering: The Human Hack


When we think of hackers, we think of black gloves and dark basements, voice scramblers and glowing green numbers. But this image is increasingly more sci-fi flick than real-life threat. The cybersecurity industry has stepped up its game. Computer code can be fortified, programs protected, systems defended.

Humans, on the other hand, have defects that can’t be patched up with a string of code. At times, we’re distracted, rash, and overtrusting. This isn’t always bad. But it does make us vulnerable. Perhaps the easiest way to penetrate an information system isn’t through its code but through its human operators. That’s the psychology behind social engineering.

What is social engineering?

Depending on who you ask, social engineering (SE) could be considered a science or a scam (maybe even both). Social engineering is the process of leveraging social skills to influence people to perform certain actions. Successful social engineers predict behavior and construct scenarios that enable them to exploit unsuspecting targets. Essentially, it’s the practice of hacking humans.

Forms of social engineering

To date, there’s no foolproof firewall for people. But if you’re aware of what to look for, you’ll certainly be harder to hack. Here’s a rundown of five common social engineering tactics.


Baiting attacks are essentially cybersecurity mouse traps. Social engineers leave a seemingly harmless device (like a flash drive or CD) in a conspicuous location, expecting that whoever finds it will be curious enough to open it. By the time the victim realizes the mystery disk is infected with malware, it’s too late—the hacker already has access to the system.


This method of social engineering is often disguised as an authentic message from a trustworthy source. For example, you may receive a legitimate-looking email that says you have 24 hours to reset your password or you’ll be locked out of your account. When you follow the link in the email, though, you’re taken to a spoofed site that captures your login credentials. Phishing attacks can be especially malicious when they compel you to enter payment information.


Attackers who employ the pretexting tactic sell a false story to gain sensitive information. A scammer who calls claiming to work for your bank may put you at ease by reciting your billing address, place of employment and contact information. But in reality, all these specifics could have been obtained from your social media profile.


Tailgating allows unauthorized individuals to physically enter a secured location. This can happen when an offender follows closely behind an employee with security clearance or asks you to hold the door because they’ve forgotten their key card.

Watering hole attack

Many tech-savvy users can subvert email spam. But watering hole attacks are especially effective because they entice users to visit familiar websites. Typically, watering hole hackers inject a site with attack code so that visitors who come seeking downloadable resources like coupons end up installing malicious software.

Don’t fall for fakes

Here’s the takeaway: always be wary about online interactions. Before you engage with an email, Facebook message, social media post or pop-up advertisement, check for three indisputable red flags:

  • You don’t recognize the sender.
  • The topic is random, unsolicited or irrelevant.
  • The message includes a link or attachment you didn’t specifically ask for.

If even one of these statements are true, delete the message. In the case that you ignore legitimate information, the sender will surely follow up.

Since social engineering isn’t limited to cyberspace, it doesn’t hurt to approach offline engagements with the same degree of discretion. Never give computer access to someone you don’t know personally. Don’t play detective—turn in devices that don’t belong to you. And always be aware of your surroundings. That last one will serve you well even if you don’t hold the key to your company’s trade secrets.

The best hackers out there don’t just have a thorough knowledge of commands and curly brackets—they’re also acutely aware of human blind spots. Although we can’t fix all of our flawed “code,” we can add a few lines of defense by simply clicking with caution.