Social Engineering Attacks: How They Actually Work

The Phone Call That Cost One Company $100 Million

In 2019, a UK-based energy company's CEO received a phone call from what he believed was his boss — the head of the parent company in Germany. The voice was perfect. The accent, the tone, the speech patterns — all spot on. The caller instructed him to wire $243,000 to a Hungarian supplier within the hour. He complied. That voice was generated by AI-powered deepfake technology, and the money vanished through accounts in Mexico and beyond.

That's social engineering attacks in 2022 — sophisticated, personalized, and devastatingly effective. They don't exploit software vulnerabilities. They exploit you. Your trust. Your habits. Your desire to be helpful. And according to the 2021 Verizon Data Breach Investigations Report, 85% of all data breaches involve a human element. Not a zero-day exploit. Not a misconfigured firewall. A person who made a mistake.

This post breaks down exactly how social engineering attacks work, what the most dangerous variants look like right now, and what your organization can do to stop them before they cost you millions.

I've spent years watching organizations pour six-figure budgets into firewalls, endpoint detection, and SIEM platforms — then lose everything because an accountant clicked a link in a spoofed email. Social engineering attacks bypass every technical control you own by targeting the one thing you can't patch: human psychology.

Here's what actually happens. A threat actor researches your company on LinkedIn. They find the name of your CFO, your IT manager, your new hire in accounts payable. They learn your company just closed a funding round or hired a new vendor. Then they craft a message — an email, a phone call, a text — that feels completely legitimate because it references real details about your organization.

The target doesn't think twice. The email mentions a real project. The caller uses the real name of a colleague. The urgency feels appropriate. And just like that, credentials are stolen, wire transfers are initiated, or malware is deployed.

The Psychology Behind the Attack

Dr. Robert Cialdini identified six principles of influence decades ago: reciprocity, commitment, social proof, authority, liking, and scarcity. Every social engineering attack leverages at least one — usually several simultaneously.

Authority: "This is the CEO. I need this done now."
Urgency/Scarcity: "Your account will be locked in 15 minutes."
Social Proof: "Everyone on the team has already submitted their credentials through this portal."
Liking: The attacker builds rapport, mirrors your communication style, references shared interests scraped from social media.

These aren't tricks that only work on careless people. They work on smart, experienced professionals under time pressure — which describes most of your workforce on any given Tuesday.

1. Phishing: Still the King

Phishing remains the single most common attack vector. The FBI's 2021 Internet Crime Report logged 323,972 phishing complaints — more than any other crime category, and nearly double the count from two years prior. These aren't Nigerian prince emails anymore. They're polished, branded messages from "Microsoft," "DocuSign," or your company's actual HR platform.

Phishing simulations are one of the most effective ways to measure and reduce this risk. If your organization isn't running them regularly, you're flying blind. Our phishing awareness training for organizations walks your team through exactly what real-world phishing looks like and how to respond.

2. Spear Phishing and Business Email Compromise (BEC)

Spear phishing takes the shotgun approach of regular phishing and turns it into a sniper rifle. The threat actor targets a specific individual — typically someone with financial authority or system access — with a highly personalized message.

BEC is the monetized version. The FBI IC3 reported $2.4 billion in adjusted losses from BEC in 2021 alone. That makes it the single most financially destructive cybercrime category. The attacker compromises or spoofs an executive's email and instructs a subordinate to wire funds, change payment details, or share sensitive data.

3. Vishing (Voice Phishing)

Phone-based attacks are surging. The threat actor calls pretending to be IT support, a bank representative, or a government agency. They create urgency — "Your account has been compromised, I need to verify your identity" — and extract credentials, one-time passwords, or personal information.

I've seen vishing calls that spoofed the actual phone number of a company's IT help desk. The employee saw a familiar number on caller ID and had no reason to question it.

4. Smishing (SMS Phishing)

Text-based social engineering is exploding because people inherently trust SMS more than email. A text from "your bank" with a shortened URL? Most people tap it without thinking. Smishing attacks often bypass email security controls entirely because they hit personal devices that your security team doesn't monitor.

5. Pretexting

Pretexting is the long con. The attacker creates a fabricated scenario — a pretext — to build trust over time. They might pose as a new vendor, a fellow employee at a remote office, or an auditor. Over multiple interactions, they gather fragments of information that eventually unlock access to systems or data.

The 2020 Twitter breach is a textbook example. Attackers called Twitter employees posing as IT staff, convinced them to enter credentials on a fake internal page, and used that access to hijack high-profile accounts including Barack Obama, Elon Musk, and Apple.

Tailgating through badge-controlled doors. Dropping infected USB drives in parking lots. Posing as delivery personnel or maintenance workers. Physical social engineering still works because most employees don't want to seem rude or paranoid by challenging someone who "looks like they belong."

In penetration tests, I've seen testers walk into secured offices with nothing more than a clipboard, a hard hat, and confidence. Nobody stopped them.

This is the question that matters most for your front-line employees. Here are the concrete red flags:

Unexpected urgency. Any message that pressures you to act immediately — especially involving money, credentials, or sensitive data — should trigger suspicion.
Unusual requests from authority figures. If the CEO emails you directly asking for gift cards or a wire transfer, verify through a separate channel. Always.
Mismatched details. Hover over sender addresses. Check for subtle misspellings in domains ("rnicrosoft.com" instead of "microsoft.com"). Look at the reply-to address, not just the display name.
Requests to bypass normal procedures. "Don't go through the usual process this time" is almost always a social engineering play.
Emotional manipulation. Fear, excitement, curiosity, helpfulness — if a message is trying to make you feel something strongly, slow down.

Training your team to recognize these patterns is the single highest-ROI security investment you can make. Our cybersecurity awareness training covers these exact scenarios with real-world examples your employees will actually remember.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's Cost of a Data Breach Report 2021, the average cost of a data breach hit $4.24 million — a 17-year high at that point. Social engineering was a leading initial attack vector. Organizations that had security awareness training and incident response teams in place saved an average of $2.46 million per breach compared to those that didn't.

Let that sink in. Not having a training program isn't saving money. It's guaranteeing you'll pay more when — not if — a breach happens.

Why Technical Controls Alone Fail

Multi-factor authentication is essential. Zero trust architecture is the right direction. Email filtering catches a lot. But none of these controls are perfect, and social engineering attacks are specifically designed to circumvent them.

MFA fatigue attacks — where the attacker spams the victim with push notifications until they accept one — are already in the wild. Credential theft through phishing can bypass MFA when the attacker captures session tokens in real time using tools like Evilginx2. Your security stack is only as strong as the human operating within it.

Step 1: Establish a Security Awareness Training Program

Not a once-a-year compliance checkbox. A continuous program with monthly touchpoints, updated content reflecting current threats, and measurable outcomes. Track phishing simulation click rates over time. Identify repeat offenders and give them additional coaching — not punishment.

Start with a structured curriculum like the one at computersecurity.us, which covers the full spectrum of social engineering tactics your employees will face.

Step 2: Run Regular Phishing Simulations

You can't improve what you don't measure. Phishing simulations tell you exactly where your vulnerabilities are — which departments, which individuals, which attack types are most effective against your workforce. Our phishing awareness training platform lets you run realistic simulations and track results over time.

Step 3: Implement Verification Procedures for Sensitive Requests

Any request involving wire transfers, payment changes, credential sharing, or sensitive data should require out-of-band verification. That means a phone call to a known number — not the number in the email. This single policy would have prevented the majority of BEC losses reported to the FBI.

Step 4: Layer Technical Controls Strategically

Multi-factor authentication on every account that supports it. Prefer hardware keys or authenticator apps over SMS.
Email authentication protocols: DMARC, DKIM, and SPF properly configured to prevent domain spoofing.
Zero trust network architecture: Never assume a user or device is trusted just because they're inside the perimeter.
Endpoint detection and response (EDR): Catch malware that slips through when someone does click the wrong link.

Step 5: Create a Blame-Resistant Reporting Culture

If employees fear punishment for reporting a potential social engineering attack — or for falling for one — they'll hide it. And a hidden compromise is far more expensive than a reported one. Celebrate reports. Reward vigilance. Make "I'm not sure about this email" the easiest message anyone can send to your security team.

The tools available to threat actors keep getting cheaper and more sophisticated. Deepfake audio is accessible. AI-generated phishing emails pass grammar checks that used to be reliable red flags. OSINT tools let attackers profile your entire organization in hours.

CISA has been actively warning organizations about the escalating sophistication of social engineering campaigns. Their Shields Up initiative — launched earlier this year in response to geopolitical tensions — specifically highlights social engineering as a primary threat vector for organizations of all sizes.

The organizations that survive this landscape aren't the ones with the biggest security budgets. They're the ones with employees who pause before clicking, verify before transferring, and report before it's too late.

Your Next Move

Every week you delay building a social engineering defense is another week your organization operates with its biggest vulnerability completely unaddressed. Start by assessing where you stand. Run a phishing simulation. Launch a training program. Build verification procedures into your financial workflows.

Social engineering attacks succeed because they target people — and people can be trained to fight back. The question is whether you'll invest in that training before or after a seven-figure incident forces your hand.