Social engineering is one of the most effective ways for criminals to gain information and access, and you’ve likely been targeted through social engineering strategies whether you realised it or not. Read on to discover what social engineering is, the most common types used and why it’s so effective.
Written by Grant Longstaff. Published 13 November 2025.
What is social engineering?
Social engineering is a tactic used to manipulate people into carrying out specific actions, such as giving away confidential information or performing tasks which compromise security. Rather than traditional hacking methods, the strategy relies on the psychological manipulation of an individual. Cybercriminals will first gain the trust of their victim before deceiving them into providing information or access.
The National Crime Security Centre states: “What makes social engineering especially dangerous is that it relies on human error, rather than vulnerabilities in software and operating systems. Mistakes made by legitimate users are much less predictable, making them harder to identify and thwart than a malware-based intrusion.”
How does social engineering work?
Social engineering comes in many forms, but you’ll find patterns in the strategies used. First, the perpetrator will carry out some research on the victim. This can help lend a sense of credibility to the communication. The victim is then contacted and the perpetrator positions themselves as a person of authority. For example, they might pose as a bank employee or an IT technician.
Once contact is made the manipulation begins. This could involve sharing passwords, bank details or downloading malware so the cybercriminals can gain access to a device. Often the requests will be framed as time sensitive to prevent some kind of harm, which can make victims panic and more likely to comply.
Types of social engineering
Phishing
Phishing is one of the most common forms of social engineering and involves criminals attempting to gain your personal information. Messages often come in the form of emails, text messages and phone calls, which often try to mimic official communication. Many are easy to spot, but cybercriminals are becoming more sophisticated in their approaches so it’s important to remain vigilant against such attacks.
Baiting
Another common approach is baiting. This involves attackers trying to manipulate victims with an offer, such as a free gift, trial or subscription. Consider how many times you’ve received an email offering you the latest electric toothbrush or a Netflix trial for absolutely nothing. It’s often worth remembering the old adage: If it’s too good to be true, it probably is.
There are also instances where cybercriminals will leave USB devices loaded with malware in public places in the hope someone’s curiosity will prompt them to pick it up and check the contents.
Pretexting
With pretexting, perpetrators will create a narrative in order to carry out the manipulation. Examples include pretending to be a trusted representative of an organisation, such as a government official, or an employee in your place of work. For example, you receive a call from someone who identifies themselves as a fraud expert with your bank. They say your bank details have been leaked and, in order to stop a transaction for a significant amount of money, you’ll need to share personal details so they can prevent it.
Tailgating
Tailgating is a form of social engineering where a criminal gains access to a restricted area by posing as an authorised person. It targets our politeness. As you enter a door with your key card someone casually asks you to hold the door for them too. It seems too simple and feels like it should be easily avoidable, but access has been gained and companies compromised in this way.
It's worth noting the tactics used by criminals to manipulate their targets are wide ranging and some of the most sophisticated attacks might use more than one approach.
Why social engineering works
The Cyber Security Breaches Survey 2025, commissioned by the Department for Science, Innovation and Technology (DSIT) and the Home Office, found 43% of businesses and 30% of charities experienced some form of cyber security breach or attack in the last year. The report also found “phishing attacks remain the most prevalent and disruptive type of breach or attack (experienced by 85% of businesses and 86% of charities).”
Social engineering is so effective because it exploits human nature. Attackers abuse our trust, curiosity and sometimes fear in order to make us more compliant and cooperative. Our online presence can be used against us. Our emotions and actions can be manipulated.
The report also stated, “organisations had a growing consciousness that increasingly sophisticated methods, such as AI impersonation, were becoming mainstream.” For individuals working in cyber security this presents a problem. How do we better protect ourselves, and the organisations we work for, from cyberattacks?
Social engineering defence
Approximately 3% of all businesses and 1% of all charities have been a victim of cyber-facilitated fraud in the last year. The numbers might seem small, but this equates to roughly 40,000 businesses and 2,000 charities. One of the most effective defences against social engineering strategies and tactics is education and awareness.
For those working in cyber security you’ll need a cyber security strategy for the business and will regularly review your training material and policy documents to help staff better identify threats. Encourage multifactor authentication, invest in malware protection and deploy strong email filters. You’ll also need to stay up to date with the latest developments within the tech sector so you can understand how tools such as AI are being used by cybercriminals.
As individuals we need to consider any communication that feels odd or unusual. Don’t open unexpected attachments or visit links which look strange. Simple things like verifying an email address or telephone number or checking the URL of a website can make all the difference.
If you’re interested in learning more about core computing concepts such as the application of AI and software development our MSc in Computer Science is for you.
