7 Common Social Engineering Attacks — Explained

In today’s digital world, firewalls and antivirus software can only go so far. The real vulnerability? People. Social engineering attacks exploit human psychology rather than technical flaws, tricking individuals into handing over confidential information or giving access to systems. It’s the modern con game, and it’s on the rise in the UK and globally.

Let’s break down seven common social engineering attacks, so you know what to watch out for — and how to stay protected.

1. Phishing

What it is:
Phishing is the most well-known social engineering tactic. It usually involves fraudulent emails designed to look like they’re from trusted sources (e.g. your bank, HMRC, or even your employer).

How it works:
The email often contains a malicious link or attachment, or it may urge you to enter login details on a fake website.

Example:
An email from “Netflix” warns your payment failed and asks you to re-enter your card details. The site looks legitimate — but it isn’t.

How to stay safe:
Always double-check the sender’s email address, hover over links before clicking, and never enter sensitive information on unfamiliar websites.

2. Vishing (Voice Phishing)

What it is:
This is phishing over the phone. Attackers impersonate someone trustworthy, like a bank representative, to extract personal data.

How it works:
They create a sense of urgency, such as claiming your account is at risk and asking you to confirm your details.

Example:
A scammer calls claiming to be from your bank’s fraud department, asking you to move your money to a “safe account”.

How to stay safe:
Never give out personal or financial information over the phone unless you initiated the call using a verified number.

3. Smishing (SMS Phishing)

What it is:
Smishing involves fraudulent text messages — often pretending to be from delivery services, banks, or government bodies.

How it works:
The text includes a link to a fake website or a phone number to call, aiming to steal your information.

Example:
A text from “Royal Mail” saying there’s a parcel to pay duty on, with a link to a scam payment site.

How to stay safe:
Avoid clicking on links in unsolicited texts. If unsure, go directly to the organisation’s website or app.

4. Pretexting

What it is:
This involves creating a believable story (or “pretext”) to manipulate you into giving up information or access.

How it works:
The attacker builds trust by impersonating a colleague, IT support, or authority figure.

Example:
Someone posing as your company’s IT team calls to “verify” your login credentials due to a supposed security breach.

How to stay safe:
Verify the person’s identity independently. Don’t give out information unless you’re absolutely sure who you’re speaking to.

5. Baiting

What it is:
Baiting offers something enticing — like a free download, gift card, or USB drive — to trick you into installing malware or giving up data.

How it works:
The “bait” leads to malicious software being installed on your device or network.

Example:
A free music download or a USB stick left in a car park — once accessed, it infects your system.

How to stay safe:
Don’t accept or download anything from unknown sources. Be sceptical of anything that seems too good to be true — because it probably is.

6. Tailgating (or Piggybacking)

What it is:
Tailgating is a physical form of social engineering. It involves someone following an authorised person into a secure area without proper access.

How it works:
They might pretend to have forgotten their ID badge or act like a delivery driver in a rush.

Example:
An attacker follows an employee into a secure office by simply holding the door.

How to stay safe:
Don’t let strangers follow you into secure areas. Politely challenge anyone not displaying the correct credentials.

7. Quid Pro Quo

What it is:
“Something for something.” This attack promises a benefit — like tech support or access to a service — in exchange for information.

How it works:
The attacker offers help (e.g. solving an IT issue) and then asks for login details or remote access.

Example:
A caller claiming to be from “Microsoft” offers to fix a virus on your PC, then installs malware instead.

How to stay safe:
Be wary of unsolicited help, especially if they request remote access or login credentials.

Final Thoughts

Social engineering preys on trust, fear, urgency, and curiosity — all very human traits. In the UK, these tactics are increasingly used in sophisticated scams targeting individuals, small businesses, and even large corporations.

Protect yourself by:

• Staying sceptical of unexpected messages or calls.

• Verifying requests independently.

• Reporting suspicious activity to your IT team or Action Fraud (UK’s national reporting centre for fraud and cyber crime).

Awareness is your first line of defence. If something feels off — it probably is.