The TLDR
Social engineering attacks don’t hack computers. They hack people. These attacks exploit the same psychological shortcuts that make you an effective human being — trust, authority, urgency, reciprocity, social proof — and redirect them toward actions that benefit the attacker. You can have the best firewall, the strongest passwords, and hardware 2FA on everything, and a well-crafted social engineering attack bypasses all of it by simply asking you to do something you think is legitimate.
The Reality
Here’s a romance scam from first contact to wire transfer. This is a real pattern documented by the FBI IC3:
Week 1: A profile appears on a dating app. Attractive photos (stolen from someone else’s social media). A believable bio. They match with the target and start messaging. The conversation is warm, interested, and moves quickly to WhatsApp or Telegram — off the dating platform where their account might get flagged.
Weeks 2–6: Daily communication. Good morning texts. Long conversations about life, goals, values. The scammer mirrors the target’s personality and interests (they’ve been trained to do this). Emotional intimacy builds. Plans to meet “soon” are discussed but always delayed by plausible reasons — work travel, family emergency, visa issues.
Week 6–8: A crisis. The scammer’s “mother is in the hospital” or they’re “stuck overseas and their accounts are frozen.” The ask is small — $200 for a medical bill, a plane ticket. The target, invested in the relationship, sends the money.
Weeks 8–16+: The requests escalate. Each one is justified by the emotional bond and previous investment. Victims report average losses of $10,000–$50,000 before the pattern breaks. The FBI IC3 reported $1.3 billion in romance scam losses in 2022. Some individual victims have lost over $1 million.
This isn’t stupidity. This is engineered psychological manipulation executed by professionals.
The Psychological Toolkit
Robert Cialdini identified six principles of influence in his foundational book “Influence: The Psychology of Persuasion.” Every social engineering attack uses at least two:
Authority
We comply with authority figures. A caller claiming to be from the IRS, a police officer, or your CEO triggers automatic deference. The 2020 Twitter hack began when teenagers called Twitter employees and impersonated IT staff — the employees followed instructions because the caller sounded authoritative and used internal jargon.
Urgency/Scarcity
“Your account will be suspended in 30 minutes.” “This offer expires today.” Time pressure short-circuits deliberative thinking. You make decisions with your gut instead of your brain. Every phishing email, every vishing call, and every scam text creates urgency because it works.
Reciprocity
When someone does something for you, you feel obligated to reciprocate. Scammers build small acts of generosity early — a small gift, helpful advice, emotional support — to create a debt the victim feels compelled to repay.
Social Proof
“Everyone in the office has already completed this form.” “Your neighbors have already signed up.” We follow what others appear to be doing. Pig butchering scams use fake investment platforms showing other “investors” making money to create the impression that participation is normal and profitable.
Commitment and Consistency
Once you’ve said yes once, you’re more likely to say yes again. The first ask is always small — “just verify your name.” Each subsequent ask escalates, and you comply because refusing would be inconsistent with your previous behavior.
Liking
We trust people we like. Romance scammers invest weeks building genuine emotional connections. Pretexters are friendly and personable. The better the attacker is at being likable, the more effective the manipulation.
Pretexting — Building the Story
Pretexting is creating a false context that makes the attacker’s request seem legitimate. The quality of the pretext determines the success of the attack.
OSINT fuels pretexting. Before calling a target, a social engineer gathers:
- LinkedIn: Job title, reporting chain, colleagues’ names, recent projects, work anniversary
- Data brokers: Home address, phone number, relatives’ names, previous employers
- Social media: Vacation photos (they know you’re traveling), interests, friend networks, life events
- Company website: Organizational structure, department names, internal jargon
With 30 minutes of research, an attacker can impersonate a vendor the company uses, reference a project the target is working on, name-drop the target’s manager, and create a scenario where handing over credentials seems like the right thing to do.
Attack Types
Business Email Compromise (BEC)
The FBI IC3 reported $2.9 billion in BEC losses in 2023 — the highest-dollar cybercrime category. The attack:
- Attacker compromises or spoofs an executive’s email
- Sends a wire transfer request to the finance team: “I need this vendor payment processed urgently. I’m in a meeting — please handle.”
- The email looks right. The request is within normal business operations. The urgency is plausible.
- The finance team sends the wire. The money is gone within hours.
The 2020 Twitter Hack
In July 2020, teenagers gained access to Twitter’s internal admin tools and tweeted cryptocurrency scams from verified accounts including Barack Obama, Elon Musk, and Apple. They got in by calling Twitter employees and impersonating IT support staff, convincing them to reset their credentials on a phishing page.
The Twitter hack post-mortem revealed that the attackers targeted customer support representatives because they had lower security training than engineers — but their access to internal tools was identical.
Tech Support Scams
“This is Microsoft support. We’ve detected malware on your computer.” The caller directs the victim to install remote access software (AnyDesk, TeamViewer), then uses that access to install actual malware, steal credentials, or demand payment for “fixing” the nonexistent problem.
The FTC reported $800+ million in tech support scam losses. These disproportionately target elderly individuals.
Help Desk Attacks
An attacker calls the company help desk: “Hi, this is Sarah from marketing. I’m locked out of my account and I have a presentation in 20 minutes. Can you reset my password?”
If the help desk doesn’t have strict verification procedures — and many don’t — the attacker gets a password reset for someone else’s account. This is how multiple major corporate breaches have started.
What You Can Do
Verification Procedures
- Verify through a separate channel. If someone calls claiming to be your bank, hang up and call the number on your card. If an email requests a wire transfer, call the sender on their known phone number.
- Never provide credentials or 2FA codes to someone who contacted you. Legitimate organizations don’t ask for this.
- Establish a family passphrase — a code word shared in person that you can ask for over the phone to verify identity.
The “Trust but Verify” Framework
Social engineering attacks succeed because we default to trust. The defense isn’t paranoia — it’s a habit of verification:
- Unexpected requests get verified through a second channel
- Urgency is a red flag, not a reason to skip verification
- Authority is claimed, not proven, until independently confirmed
Organizational Controls
For businesses, the defenses are procedural:
- Dual authorization for financial transactions above a threshold
- Callback verification for wire transfer requests (call back on a known number, not the one in the email)
- Strict help desk identity verification (not just “what’s your employee ID”)
- Regular social engineering training — not annual compliance videos, but simulated attacks
Sources & Further Reading
- FBI IC3 Annual Report — cybercrime statistics including BEC and romance scam data
- Robert Cialdini: “Influence: The Psychology of Persuasion” — foundational psychology of social engineering
- Kevin Mitnick: “The Art of Deception” — social engineering from the attacker’s perspective
- Twitter 2020 Hack Post-Mortem — case study in social engineering against a tech company
- FTC Consumer Fraud Data — federal scam and fraud statistics
- MITRE ATT&CK: Social Engineering — attack technique documentation