Skip to main content

Social Engineering Attacks and How to Defend Yourself

About 2 min read

Social engineering is a collective term for attack techniques that extract confidential information by exploiting human psychological weaknesses and relationships of trust, rather than technical means. No matter how robust a security system you build, it is meaningless if the human operating it is deceived. These attacks are based on the principle that the weakest link in security is always the "human." According to a 2024 Verizon study, a human element was involved in about 68% of data breaches, and sophisticated impersonation attacks abusing generative AI are on the rise.

Historical Background

The person who made the concept of social engineering widely known is Kevin Mitnick, a hacker active in the 1990s. He relied more on impersonation over the phone and psychological manipulation than on technical hacking, infiltrating the systems of large corporations. His book "The Art of Deception," published after his arrest, is still read today as a classic of social engineering. With the spread of the internet, attack methods evolved into phishing emails and fake websites, but the essence of exploiting human psychology has not changed.

Common Techniques

Pretexting is a technique in which an attacker poses as a trustworthy person, such as IT support or a manager, to extract passwords or confidential information. Tailgating is a physical intrusion method of passing through a security gate by following behind a legitimate employee. Baiting is a technique of planting malware on a USB drive or similar device and getting victims to connect it out of curiosity. Quid pro quo is a method of extracting information by offering "something in return," such as posing as a "free security assessment."

For attack techniques that exploit human psychology, social engineering books on Amazon are known as classic reference works.

Real-World Use Cases

"As a result of a simulated phishing exercise, 38% of new employees clicked the link in the fake email. We are changing our policy to conduct social engineering countermeasure training every quarter."

Classification of Attack Methods

Online type
Phishing, smishing, vishing
In-person type
Pretexting, tailgating
Physical type
Baiting (USB), shoulder surfing

Defenses and Pitfalls in Practice

Defending against social engineering requires both technical and human measures. Always verify the identity of anyone making a suspicious request, and make it an absolute rule never to share passwords over the phone or by email. Within organizations, regular security education and simulated phishing exercises are effective. A common pitfall is the overconfidence of "our employees are fine." When exercises are conducted, even employees in the IT department are reported to fall for sophisticated attacks. If you use an unguessable random password, it becomes meaningless even when an attacker tries to extract a "password hint."security awareness training books (Amazon) are also helpful for strengthening an organization's defenses.

Related Terms

Was this article helpful?

XHatena