Let’s start simple – what is social engineering? says Gavin Wilson, Director of Physical Security and Risk at the consultancy, Toro Solutions.
Social engineering is the use of psychological manipulation to trick people into giving up sensitive information or performing actions that compromise security. Attackers exploit trust, curiosity, and helpfulness rather than technical weaknesses. Social engineering can be deployed in many different forms with varying degrees of sophistication. Here are just a few examples of techniques scammers love to use:
- Phishing (emails)
- Smishing (SMS)
- Quishing (QR codes)
- Vishing (Calls or voice messages)
- Baiting (emails, calls, emails, sms)
You’ve probably read stories like:
- “Pensioner transfers life savings after a phone call from their bank.”
- “I lost my home after being catfished.”
The scammers seem obvious in hindsight. You might be thinking, “What were these people thinking?” The good news is you are far too savvy to fall for something so blatant. But let’s pause for a moment.
Everyday encounters could be a risk
Have you ever had a phone call from someone you did not know? Chatted with a friendly stranger on the train? Shared a table in a café? Connected with someone on LinkedIn? Swiped right? Of course you have. We all have.
The world is a wonderful place, full of interesting people. We should engage more, say hello, and make connections. But what if that chance encounter was not so coincidental? What if it was a well-planned attempt to extract information from you? A more capable and intent social engineer may operate face to face to gain credibility and trust from their subject of interest.
You might think, “I am being ridiculous, this only happens in movies.” And maybe it does sometimes. But even seemingly harmless interactions can be exploited by someone trained in social engineering.
Small pieces, big picture
Imagine the server room at your company. To get access, a hostile actor would need to bypass multiple layers of security. To do that, they would require small pieces of information, gathered carefully, step by step. Ask yourself, what pieces of the puzzle do you already hold? Probably quite a few:
- You know how to access the building and navigate its floors.
- You know reception procedures and security measures.
- You know how to log into your computer and what your colleagues’ roles are.
- You know which contractor companies are on site for cleaning, maintenance, or security.
- You know the general arrival and departure times of employees.
You even carry your ID badge during work because company policy requires it. You might not even think about it, but you are an expert in your organisation’s routines and policies. That knowledge, combined with your helpful, friendly nature, makes you a perfect target for a social engineer.
Not all at once
No stranger is going to approach you and directly ask how to access the server room. Instead, you might get:
- A phone call or email from someone claiming to be a client or colleague, requesting a small piece of information like a contact detail.
- Someone tailgating through a secure door with their hands full.
- A seemingly innocent interaction on the train, in a café, or on LinkedIn that allows them to collect pieces of information.
- Someone befriending you over time to earn your trust.
Even simple mistakes, like forgetting to remove your ID badge when leaving the office, can give someone valuable data. Social engineering is subtle. Often, you will never even realize it happened and the more trusting and helpful you are, the more effective it can be.
How to protect yourself
Even though attackers are clever, there are practical steps you can take:
- Verify identities – Always confirm requests through official company channels.
- Do not rush – Avoid giving information immediately, even if the request seems urgent.
- Share only what is necessary – Limit the information you provide to what is safe and required.
- Do a values test – Is what I have been asked to share feel right and aligns with my employers and my own values.
- Report suspicious activity – Inform your security team if something feels off.
Remember, social engineering is about gathering small pieces of information. By controlling what you share and verifying requests, you break the puzzle for the attacker.
It’s everywhere
It is not just criminals, governments and military organisations also use social engineering techniques and as physical and cyber security measures improve, human vulnerabilities become the path of least resistance. Social engineering happens around you every day. Friendly strangers, chance encounters, phone calls, emails, LinkedIn requests, they can all be exploited. Awareness is key.
A balanced perspective
That does not mean we should stop engaging with the world. There are countless friendly, interesting people worth meeting and talking to. Say hello. Strike up conversations. Form connections. But do so mindfully. If something feels off, pause. Think about what information you are comfortable sharing and through which channels. Verify identities, and if necessary, report suspicious activity.
By being aware, cautious, and thoughtful, you can enjoy the world and stay safe at the same time. Social engineering may be powerful, but your awareness and verification are stronger.
