Social Engineering Attacks: How They Actually Work

The Phone Call That Cost One Company $25 Million

In early 2024, an employee at British engineering firm Arup joined a video call with what appeared to be the company's chief financial officer and several colleagues. Every face on the screen was a deepfake. The employee, convinced by what they saw and heard, authorized transfers totaling $25 million to accounts controlled by threat actors. No malware was involved. No firewall was breached. The attackers exploited the one vulnerability no patch can fix: human trust.

Social engineering attacks like this one are now the dominant method attackers use to breach organizations. If you think your technical defenses are enough, this post will change your mind.

According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches involved the human element — social engineering, errors, or misuse of credentials. That number has held steady for years. The tools change. The psychology doesn't.

What Social Engineering Attacks Actually Look Like in 2024

Forget the stereotype of a badly spelled email from a foreign prince. Modern social engineering attacks are targeted, researched, and disturbingly convincing. I've seen cases where an attacker spent three weeks engaging with a target on LinkedIn before sending a single malicious link. By the time the payload arrived, the victim considered the attacker a trusted professional contact.

Here's how the most common variants break down in practice.

Phishing: Still the King

Phishing remains the most prevalent form of social engineering by a wide margin. The FBI's Internet Crime Complaint Center (IC3) received over 298,000 phishing complaints in 2023 alone — more than any other crime type. These aren't just mass-blast emails anymore. Spear phishing targets specific individuals using information scraped from social media, company websites, and data broker sites.

A typical spear phishing email might reference a real project you're working on, name your actual manager, and mimic your company's email formatting pixel-for-pixel. The link inside takes you to a credential theft page that's a clone of your Microsoft 365 or Google Workspace login. You enter your password. The attacker now owns your account.

Pretexting and Business Email Compromise

Pretexting is the art of creating a fabricated scenario to manipulate someone into giving up information or access. Business Email Compromise (BEC) is its most expensive cousin. The IC3's 2023 report showed BEC caused over $2.9 billion in reported losses. An attacker impersonates a CEO, a vendor, or a lawyer and instructs someone in finance to wire money or redirect a payment. The pretext is carefully constructed — often timed around real business events like acquisitions or quarter-end closings.

Vishing, Smishing, and the Deepfake Frontier

Voice phishing (vishing) and SMS phishing (smishing) are surging. I've personally investigated incidents where attackers called help desk staff, impersonated employees using publicly available information, and convinced IT to reset passwords or disable multi-factor authentication. The Arup deepfake case I mentioned earlier represents the bleeding edge — but even low-tech vishing calls succeed at alarming rates when help desks lack verification protocols.

Why Technical Defenses Alone Can't Stop Social Engineering

Here's the uncomfortable truth I tell every CISO I work with: your email gateway, your endpoint detection, your SIEM — none of them can reliably stop a well-crafted social engineering attack. These tools are essential, but they address a different problem.

Social engineering attacks exploit decision-making, not software vulnerabilities. When an employee receives an email that appears to come from their boss asking them to urgently purchase gift cards, no technical control flags that as malicious. The email is plain text. There's no malware. There's no malicious link. It's just a lie — and your security stack can't detect lies.

A zero trust architecture helps limit the blast radius once credentials are compromised. Multi-factor authentication raises the bar significantly. But neither eliminates the risk entirely, because social engineering adapts. Attackers now routinely use adversary-in-the-middle phishing toolkits that capture MFA tokens in real time. The technology arms race is necessary but insufficient.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2023 Cost of a Data Breach Report pegged the average breach cost at $4.45 million globally. But breaches that started with social engineering and credential theft consistently ranked among the most expensive categories. Phishing-initiated breaches averaged $4.76 million. Stolen credentials — often harvested through social engineering — led to breaches costing $4.62 million on average.

What makes these breaches so expensive? Dwell time. Social engineering gives attackers legitimate credentials. They look like real users. They don't trigger the same alarms as brute-force attacks or malware. By the time you detect the intrusion, they've been inside your network for weeks or months, exfiltrating data or staging ransomware.

What Is a Social Engineering Attack?

A social engineering attack is any attempt by a threat actor to manipulate a person into revealing confidential information, granting unauthorized access, or taking an action that compromises security. Unlike technical exploits that target software flaws, social engineering targets human psychology — trust, urgency, fear, curiosity, and helpfulness. Common forms include phishing, pretexting, baiting, tailgating, and business email compromise. These attacks succeed because they bypass technical controls by exploiting the people who use them.

Five Tactics Attackers Use to Manipulate Your Employees

Understanding the psychological levers behind social engineering attacks is the first step toward building resistance. Here are the five I see exploited most often.

1. Manufactured Urgency

"Your account will be locked in 15 minutes." "The CEO needs this wire transfer completed before close of business." Urgency short-circuits critical thinking. When people feel rushed, they skip verification steps. Attackers know this and weaponize it relentlessly.

2. Authority Impersonation

People comply with requests from authority figures. An email that appears to come from the CEO, a message from "IT Support," or a call from someone claiming to be law enforcement — all exploit the same instinct. Employees don't want to question the boss or obstruct an investigation.

3. Reciprocity and Rapport

The LinkedIn attacker who spends weeks building a relationship before striking uses reciprocity. They offer something first — a helpful article, a job opportunity, a professional introduction. Once the target feels socially indebted, the malicious request feels natural.

4. Fear and Intimidation

"We've detected unauthorized activity on your account." "Your tax return has been flagged for fraud." Fear suppresses logical analysis and drives immediate action. This is why IRS impersonation scams remain effective year after year despite widespread awareness campaigns.

5. Exploiting Helpfulness

Most employees want to be helpful. Tailgating through a secured door, asking the help desk to bypass a security step, requesting a document "I accidentally deleted" — all of these prey on the natural desire to assist a colleague. Security policies often lose to politeness.

How to Build Real Defenses Against Social Engineering

Stopping social engineering attacks requires a layered approach that combines technology, training, and process. Here's what actually works based on what I've seen in organizations that get this right.

Run Realistic Phishing Simulations

Simulated phishing campaigns are the single most effective way to reduce click rates over time. But they have to be realistic. Using obvious fake emails teaches your employees to spot bad fakes — not the sophisticated spear phishing that will actually target them. Rotate scenarios. Use current events. Mimic real vendor communications. Track who clicks and provide immediate, judgment-free training. Our phishing awareness training for organizations is designed to do exactly this — build practical recognition skills through realistic scenarios.

Implement Verification Protocols

Every financial transaction, password reset, and access request should have a verification step that exists outside the channel the request came through. If someone emails asking for a wire transfer, you call them at a known number to confirm. If someone calls the help desk requesting a password reset, you verify their identity through a separate channel. This one process change would have prevented the Arup deepfake loss entirely.

Invest in Ongoing Security Awareness Training

Annual compliance training doesn't work. The data is clear on this. Organizations that run monthly or quarterly training see measurably lower breach rates. Effective security awareness training covers social engineering tactics, credential theft prevention, ransomware awareness, and how to report suspicious activity without fear of punishment. Our cybersecurity awareness training program covers these exact topics with practical, scenario-based content your employees will actually remember.

Adopt Zero Trust Principles

Zero trust means no user or device is trusted by default, even inside the network perimeter. This limits what an attacker can do even if they successfully social engineer their way to valid credentials. Enforce least-privilege access. Require multi-factor authentication everywhere. Segment your network. Monitor for anomalous behavior continuously.

Harden Your Help Desk

Your help desk is a prime social engineering target. The 2023 MGM Resorts breach reportedly began with a vishing call to the IT help desk — an attacker impersonated an employee and convinced a technician to reset credentials. That single phone call led to a ransomware attack that cost MGM an estimated $100 million. Train help desk staff to follow strict identity verification procedures. No exceptions for urgency or seniority.

The Metrics That Matter

If you're running a security awareness program, you need to measure its effectiveness. Here are the metrics I track for clients:

• Phishing simulation click rate: Aim to get below 5% over 12 months. Industry average hovers around 17-20% for untrained organizations.
• Reporting rate: The percentage of employees who report simulated phishing emails rather than ignoring or clicking them. This number matters more than click rate — it shows active engagement.
• Time to report: How quickly do employees flag suspicious messages? Faster reporting means faster incident response.
• Repeat clickers: Identify employees who fail multiple simulations. They need targeted, additional training — not punishment.

These numbers tell you whether your training is actually changing behavior or just checking a compliance box.

What's Coming Next: AI-Powered Social Engineering

The Arup deepfake incident isn't an outlier — it's a preview. Generative AI has made it trivially easy to clone voices, generate convincing phishing emails in any language, and create deepfake video. The barrier to entry for sophisticated social engineering attacks has collapsed. A threat actor no longer needs to be a skilled writer to craft a perfect phishing email. They need a prompt.

CISA has been warning about AI-enhanced social engineering throughout 2023 and into 2024. The defensive playbook doesn't fundamentally change — training, verification, and zero trust still work — but the urgency to implement these defenses has increased dramatically.

Your Employees Are Your Attack Surface — and Your Best Defense

Every social engineering attack that succeeds does so because a person made a decision. That person wasn't stupid or careless. They were untrained, unprepared, or operating under conditions that favored the attacker — urgency, authority pressure, or lack of clear protocols.

Flip that equation. Give your employees the training, tools, and processes to recognize manipulation in real time. Make reporting suspicious activity easy and safe. Build a culture where questioning an unusual request — even from the CEO — is celebrated, not punished.

The organizations I've seen weather social engineering attacks successfully all share one trait: they treat their people as the last line of defense, not the weakest link. That distinction isn't just semantic. It's the difference between a $25 million loss and a reported and blocked attempt that never made it past the inbox.

Start building that defense today. Explore our cybersecurity awareness training and phishing simulation program to give your organization the skills it needs before the next attack lands.