What Is Social Engineering in Cybersecurity?

The main types are phishing (fraudulent emails), vishing (voice calls impersonating IT support or banks), smishing (malicious SMS messages), pretexting (fabricated scenarios to extract information), baiting (leaving infected USB drives), and tailgating (physically following authorised staff into secure areas). With 85% of businesses that experienced a breach identifying phishing as the vector (DSIT 2025), email-based social engineering remains the most prevalent form.

Effective defences combine regular staff awareness training, simulated phishing campaigns, strict verification procedures for financial requests, and technical controls like email filtering and MFA. Establishing a culture where staff feel comfortable reporting suspicious contacts without blame is critical. BEC attacks increased 33% in 2025 (FBI IC3 Report), and organisations with formal verification procedures for payment changes are significantly less likely to fall victim.

Social engineering exploits human psychology — trust, urgency, authority, and helpfulness — rather than technical vulnerabilities. Even well-trained staff can be deceived by sophisticated pretexts, particularly when attackers research their targets using LinkedIn and company websites. The average cost of the most disruptive breach is £3,550 (DSIT 2025), and social engineering is the initial access method behind the majority of these incidents.