What is Social Engineering? Definition, Tactics & Defense

Social engineering exploits human psychology rather than technical vulnerabilities. Attackers use deception — phishing emails, fraudulent phone calls, fake websites, and AI-generated deepfakes — to trick victims into revealing credentials, transferring funds, or installing malware. According to the Verizon 2025 Data Breach Investigations Report (DBIR), the human element was involved in approximately 60% of breaches, making people the most consistently targeted component in any organization's attack surface.

Social engineering is a category of attack that relies on psychological manipulation rather than technical exploitation. The attacker's goal is to convince a human to take an action — clicking a link, providing a password, approving a wire transfer, or granting physical access — that they would not otherwise take.

Unlike malware or vulnerability exploitation, social engineering requires no code. Its effectiveness derives from exploiting predictable human behaviors: trust in authority, willingness to help, fear of consequences, and the tendency to act quickly under pressure. These are not flaws that patches can fix.

Financial loss: Business email compromise (BEC) scams resulted in $2.77 billion in reported losses in 2024, making BEC the second most costly cybercrime category tracked by the FBI IC3 (FBI IC3, 2024 Annual Report). The FBI received 21,442 BEC complaints that year alone.

Data theft and exposure: Social engineering is the primary delivery mechanism for credential theft. Stolen credentials featured in 22% of breaches in 2025 (Verizon DBIR 2025). Once obtained, credentials enable account takeover, lateral movement, and data exfiltration.

Operational downtime: Attackers who gain initial access through social engineering frequently use it to deploy ransomware or reroute payroll and vendor payments. The MGM Resorts breach in 2023, triggered by a single help desk impersonation call, caused an estimated $100 million in disruption.

Reputational and regulatory damage: A successful social engineering attack that results in a data breach carries regulatory exposure under GDPR, HIPAA, and other frameworks, alongside lasting client trust damage. MSPs that suffer a breach may also expose their clients' environments.

1.     Reconnaissance: Attackers identify targets and gather background information — job titles, vendor relationships, ongoing projects, and org structure — from LinkedIn, company websites, SEC filings, and social media. This intelligence is used to craft credible lures.

2.     Hook: A tailored phishing email, phone call, or message builds trust or manufactures urgency. Verizon DBIR 2024 data shows the median time for a user to click a malicious link after opening a phishing email is 21 seconds, with data entry following approximately 28 seconds later — a full compromise in under a minute.

3.     Manipulation and execution: The victim performs the attacker's desired action — divulging credentials, running a malicious macro, approving a wire transfer, or providing a one-time password.

4.     Exit and escalation: The attacker uses stolen data or access to persist, pivot laterally, install malware, or launch follow-on BEC schemes. In many cases, the initial entry is sold to a ransomware group via an initial access broker.

Social engineering encompasses a wide range of techniques. Understanding the distinctions between them helps IT and security teams apply appropriate controls. 

Mass-distributed fraudulent emails and messages designed to steal credentials, deliver malware, or direct users to attacker-controlled pages. Phishing was involved in 16% of breaches in 2025 (Verizon DBIR 2025) and remains the most reported cybercrime in the FBI's IC3 data, with 193,407 complaints in 2024.

A targeted variant of phishing using personalized details — the recipient's job title, current project, vendor name, or reporting relationship — sourced through prior reconnaissance. Spear phishing makes up less than 0.1% of all phishing emails but accounts for a disproportionate share of successful breaches because the personalization removes the contextual mismatches that trained users are taught to look for. It is the preferred first-stage technique of nation-state actors and ransomware groups.

Spear phishing directed specifically at executives, board members, and other senior decision-makers. The objective is usually high-value financial fraud, transfer of intellectual property, or credential theft that provides broad system access. Whaling attacks rely on detailed open-source intelligence and are rarely detected by automated email filters because they often contain no malicious links or attachments.

Social engineering conducted by phone or voice message. Real-time voice interaction creates immediate pressure, discourages verification, and exploits the trust that people extend to voices they believe they recognize. Vishing-as-a-service platforms now allow low-skilled attackers to outsource calls to professional fraudsters. Help desk impersonation — where an attacker poses as an employee to request password resets or MFA changes — is a high-impact vishing variant. See the dedicated vishing article in the Acronis Threat Catalog for deeper coverage of vishing techniques and defenses.

Phishing delivered via SMS or mobile messaging platforms. The shorter message format and the informal nature of text communication tend to reduce recipients' critical scrutiny. Smishing attacks frequently impersonate delivery notifications, banking alerts, or government agencies. The FTC reported that text-based fraud cost U.S. consumers $470 million in 2024.

Pretexting involves constructing a detailed, believable scenario to justify an unusual request. The attacker adopts a fabricated identity — IT support, an external auditor, a vendor representative, a regulator — and uses researched background information to make the scenario credible. Verizon DBIR 2024 identified pretexting as the leading cause of social engineering incidents, appearing in over 40% of social engineering cases that year. Pretexting is the structural backbone of most BEC attacks and executive impersonation schemes.

BEC is a financially motivated attack in which an attacker impersonates a trusted party — a CEO, a vendor, a legal representative — to authorize fraudulent wire transfers or changes to payment details. Unlike phishing, BEC attacks rarely include malicious links or attachments, making them harder for automated tools to detect. BEC cost $2.77 billion in the U.S. in 2024, the second-highest loss category in the FBI IC3 data. BEC attacks compromise email accounts or simply spoof trusted domains to bypass filtering.

AI-generated audio and video used to impersonate executives, colleagues, or other trusted parties. Deepfakes extend social engineering from text into voice and video, defeating verification methods that once provided meaningful assurance. A 2024 academic study on LLM-assisted attacks found that AI-generated spear phishing emails achieved a 54% click-through rate, matching the performance of human-crafted attacks while requiring a fraction of the time and cost. The Deloitte Center for Financial Services projects that generative AI-enabled fraud in the U.S. alone will reach $40 billion by 2027. The canonical corporate deepfake case is the 2024 Arup incident, in which a Hong Kong employee transferred $25.6 million after attending a video conference where the CFO and all other attendees were deepfake recreations (confirmed by Arup and Hong Kong police, May 2024).

ClickFix is a social engineering technique in which attackers present a fake error message or CAPTCHA and instruct the user to resolve it by pasting a PowerShell or other command into a Run dialog. The technique bypasses many email and endpoint controls by placing malware execution in the user's hands. FileFix is an evolution of ClickFix that uses disguised file dialogs or attachment interactions to achieve the same result. See the dedicated Threat Catalog articles on ClickFix and FileFix for full technical coverage of these techniques, indicators, and defenses.

An attacker leaves an infected USB drive, SD card, or other physical media in a location where a target employee is likely to find and connect it — a parking lot, a reception area, or a conference room. The name 'baiting' is apt: the victim's curiosity is the mechanism of compromise. The same approach applies to fake download offers online, where free software or pirated content functions as the lure.

The attacker poses as IT support or a service provider and offers unsolicited assistance — resolving a fake performance issue, providing a software license, or expediting an account unlock — in exchange for the target's credentials or temporary access to their workstation. The reciprocity bias in human psychology makes this approach effective: people who receive something tend to feel obligated to give something back.

Attackers manipulate employees into granting physical entry to a secure area, typically by posing as a delivery person, a vendor technician, or an employee who has forgotten their badge. No technical exploit is required. Physical access to a server room, unattended workstation, or network jack can enable attacks that no remote security control can prevent. Physical access attacks are frequently overlooked in digital-first security programs.

The attacker, already in possession of a user's credentials, triggers repeated multi-factor authentication push notifications until the user approves one — either through distraction, confusion, or simply to stop the notifications. This technique, also called MFA prompt bombing, was used by Scattered Spider in attacks on MGM Resorts, Caesars Entertainment, and other organizations in 2023. It is effective against any MFA implementation that relies on simple approve/deny push notifications rather than number matching or phishing-resistant FIDO2 methods.

The attacker contacts an organization's IT service desk while posing as an employee. Using details sourced from LinkedIn and public sources, they request credential resets, MFA changes, or account unlocks. The MGM Resorts breach in September 2023 began this way: Scattered Spider identified an MGM employee on LinkedIn, impersonated them in a 10-minute call to the IT help desk, and obtained access to Okta and Azure environments. ALPHV then deployed ransomware to over 100 ESXi hypervisors. Total disruption cost was estimated at $100 million.

Generative AI has materially changed the economics and scale of social engineering. A 2024 academic study found that LLM-generated spear phishing emails achieved a 54% click-through rate — matching human-crafted attacks while requiring a fraction of the time and cost ('Evaluating Large Language Models' Capability to Launch Fully Automated Spear Phishing Campaigns'). The Microsoft 2025 Digital Defense Report corroborated this finding, noting that AI-assisted phishing is up to 4.5 times more effective than unassisted attacks.

Voice cloning tools now require only a few seconds of audio to produce a convincing replica of a target's voice, enabling real-time phone fraud and vishing-as-a-service at scale. Deepfake video has moved beyond still images into live video calls, as demonstrated by the Arup case. The Deloitte Center for Financial Services projects that generative AI-enabled fraud in the U.S. will grow from $12.3 billion in 2023 to $40 billion by 2027 at a 32% compound annual growth rate.

For MSPs and MSSPs, the practical implication is that traditional heuristics for identifying suspicious communications — poor grammar, generic salutations, mismatched domains — are no longer reliable. AI-generated content is grammatically flawless, contextually accurate, and can reference authentic organizational details sourced from public data. Detection must shift toward behavioral anomaly analysis, out-of-band verification for high-risk requests, and phishing-resistant authentication methods.

Scattered Spider, a threat group known for native-English vishing, identified an MGM Resorts employee on LinkedIn and impersonated them in a 10-minute call to the IT help desk. The call resulted in access to MGM's Okta and Azure environments. ALPHV (BlackCat) then deployed ransomware across more than 100 ESXi hypervisors. Slot machines, digital room keys, reservation systems, and payment terminals were taken offline across MGM's 31 Las Vegas properties for approximately 10 days. MGM estimated the incident cost around $100 million in Q3 2023 revenue impact. Lesson: identity verification at the help desk must be independent of information an attacker could source publicly.

A finance employee at UK engineering firm Arup's Hong Kong office received a phishing email purportedly from the CFO requesting a confidential transaction. Suspicious, the employee joined a video call — which appeared to include the CFO and several colleagues — and was convinced to execute 15 wire transfers totaling approximately $25.6 million (HK$200 million) across five bank accounts. All participants on the call were deepfake recreations. Arup confirmed the incident to Hong Kong police in January 2024 and publicly identified itself as the victim in May 2024. Investigation remains ongoing; no funds have been recovered. Lesson: video calls are no longer a reliable verification method for high-value financial requests; out-of-band confirmation through a separately verified channel is required.

North Korea's Lazarus Group (tracked by the FBI as TraderTraitor) compromised a developer's machine at Safe{Wallet}, a third-party wallet management platform used by Bybit. The initial access was achieved through social engineering targeting the developer. Lazarus then injected malicious JavaScript into Safe{Wallet}'s transaction interface, which manipulated the signing UI seen by Bybit employees during a routine cold-to-warm wallet transfer on 21 February 2025. The manipulation redirected approximately 401,000 ETH, valued at roughly $1.5 billion, to attacker-controlled addresses in what the FBI confirmed as the largest single cryptocurrency heist on record. Lesson: supply chain trust extends social engineering risk beyond the direct target organization to every vendor with access to critical infrastructure.

Attackers recruited and bribed a small group of overseas customer support contractors to exfiltrate account data — names, partial Social Security numbers, addresses, and KYC documentation — for less than 1% of monthly transacting Coinbase users. The attacker's goal was not direct theft but downstream fraud: using the stolen data to impersonate Coinbase support and convince customers to transfer funds to attacker-controlled wallets. Coinbase disclosed the incident on 15 May 2025 and declined to pay the attackers' $20 million ransom demand. The company estimated remediation costs of $180 million to $400 million. Lesson: insider threat programs must extend to third-party contractors, particularly those with access to customer identity and support data.

•       Email header anomalies: mismatched From and Reply-To addresses, failed DMARC, DKIM, or SPF authentication, and unusual sending infrastructure (free webmail hosting executive-name domains).

•       Unusual login patterns: first-time geographic location, new device fingerprint, or off-hours login for a privileged or finance account should trigger investigation before session access is granted.

•       MFA prompt flooding: repeated push notification requests not initiated by the account holder indicate an active MFA fatigue attack. Alert thresholds for repeated failed MFA should be configured.

•       Unexpected password resets or account recovery requests: particularly when submitted via the help desk rather than self-service, and without a corresponding user-originated ticket.

•       Outbound traffic to unusual domains: new or low-reputation domains contacted shortly after a user-reported suspicious email may indicate that initial access has been established.

•       Help desk tickets requesting credential resets from unverified callers: the help desk is a primary entry point for voice-based social engineering. Ticket logs should capture caller verification status and method.

•       An employee reports they followed instructions from an unexpected caller or email, particularly one involving a financial transaction or credential change.

•       Wire transfer requests or changes to payment account details arriving via email, without an out-of-band confirmation from the originating party through a separately verified channel — this is the structural pattern of BEC.

•       Internal requests that bypass standard approval workflows while citing urgency, authority, or confidentiality. Urgency is the most consistent social engineering trigger.

1.     Immediately reset credentials for any account suspected of compromise. Do not wait for forensic confirmation.

2.     Revoke active sessions — not just passwords. An attacker who has established a session token will retain access through a password reset if sessions are not explicitly terminated.

3.     Preserve email headers, call logs, or message threads for forensic review before deletion. These records establish the attack timeline and enable attribution.

4.     Notify impacted parties immediately — finance teams, third-party vendors, payment processors — if funds or data may have moved.

5.     Trace the attacker's access path before beginning remediation. Remediating the visible entry point without understanding lateral movement creates a gap that allows reinfection through the same initial access.

•       Security awareness training: Regular programs covering phishing, vishing, BEC, deepfake recognition, and pretexting. Training should include realistic simulations, not just didactic modules. The Verizon DBIR 2024 found that 20% of users identified and reported phishing in simulation engagements — a figure that correlates directly with training frequency and program quality.

•       Phishing simulations and adversarial testing: periodic social engineering assessments that test the help desk, finance teams, and executives — not just general staff. Results should feed directly into targeted remediation.

•       Phishing-resistant MFA: FIDO2/passkey-based authentication resists both credential theft and MFA fatigue attacks. SMS OTP and push notifications should be replaced where possible, particularly for administrative accounts.

•       Out-of-band verification: all high-risk actions — wire transfers, payment detail changes, credential resets for privileged accounts — should require verification through a separately established channel, not the same email or voice channel as the original request.

•       Least-privilege access and help desk verification protocols: service desk staff should use authentication methods that verify the caller's identity through something they have, not just something they or an attacker could know.

•       Third-party and supply chain hygiene: MSPs and vendors with privileged access to client environments represent an extended attack surface. Third-party social engineering risk requires contractual security requirements, access scoping, and periodic review. See the Threat Catalog article on third-party compromise.

Acronis Advanced Email Security — powered by Perception Point — intercepts email-borne threats including spam, phishing, spoofing, BEC, account takeover (ATO), APTs, and zero-day attacks before they reach end-user mailboxes across Microsoft 365, Google Workspace, Open-Xchange, and on-premises mail servers.

Key capabilities relevant to social engineering defense:

•       Anti-phishing and anti-spoofing: uses ML algorithms with IP reputation, SPF, DKIM, and DMARC record checks to block look-alike domains, display-name deception, and payload-less BEC attacks.

•       Computer vision for URL and image analysis: validates the legitimacy of URLs and detects brand impersonation by analyzing the visual content of linked pages and embedded images.

•       Anti-evasion scanning: recursively unpacks embedded files and URLs, running components through dynamic and static detection engines to uncover hidden malicious content.

•       CPU-level zero-day detection: Perception Point's unique technology detects and blocks exploits at the assembly instruction level before malware is released, with no sandbox delay.

•       Account takeover prevention: behavioral analysis detects anomalies in end-user patterns to prevent attackers from using compromised accounts to spread threats laterally.

Advanced Email Security is an add-on pack, not a component of the base Acronis Cyber Protect Cloud plan.

Acronis URL filtering uses payload analysis and machine learning to evaluate both the URL itself and the structure of the destination page. This enables the filter to block silent drive-by downloads, intercept HTTP/HTTPS requests to known malicious domains, and catch phishing pages — including those using freshly registered or previously clean domains — that URL reputation databases have not yet catalogued.

Acronis Security Awareness Training, available as an Advanced Pack, delivers bite-sized training modules and gamified phishing simulations from a multitenant console designed for MSP delivery. The product page states the platform trains employees to recognize and report social engineering, phishing, and malware, and includes training aligned with modern AI-powered phishing and social engineering attacks. Training content is regularly updated.

Note: The live product page describes training that covers phishing, social engineering, and AI-powered attacks broadly. Deepfake recognition is referenced as part of the modern threat landscape covered, but is not described as a dedicated named module. This should be verified with the Acronis product team before claiming deepfake-specific curriculum in any collateral.

MFA is a security feature available within Acronis Cyber Protect Cloud for managing access to the platform and endpoint agents. It is not a standalone Acronis product. For client endpoint MFA covering email, VPN, and application access, MSPs should refer to dedicated identity and access management integrations available through the Acronis ecosystem.

See Acronis in Action

• What is Malware?
• What are Attack Groups?
• What is Third-Party Compromise?

What makes social engineering one of the most successful attack vectors today?

Social engineering bypasses technical defenses by manipulating human behavior. Attackers exploit trust, urgency, fear or helpfulness to convince employees to reveal information or perform risky actions. Because it targets people rather than systems, it frequently succeeds, even in environments with strong security controls. This risk is especially important for executive, IT and compliance leaders who must account for human behavior in their defensive strategy.

How common are attacks that depend on the human element?

An estimated 68% of cyber incidents involve a human factor, such as an employee clicking a malicious link or providing sensitive information to an attacker. Small and medium-sized businesses are disproportionately affected and experience significantly more attempts per employee compared to larger enterprises. This highlights the importance of training and consistent policy enforcement.

Which types of social engineering cause the greatest financial losses?

Executives are prime targets for highly tailored attacks such as whaling, where attackers craft personalized messages based on public information. Business email compromise is also extremely impactful, since attackers impersonate trusted executives to request wire transfers or changes to payment details. These attacks rarely include malware, which makes them harder for automated tools to detect and places greater importance on careful verification by finance, security and leadership teams.

How is generative AI changing the nature of social engineering threats?

Adversaries use generative AI to create convincing fake identities, realistic emails and polished websites. Traditional signs of phishing, such as poor spelling or formatting, are less reliable because AI-generated content appears legitimate. This raises the difficulty for both employees and security teams and requires stronger identity protections and behavioral analysis.

What are the business consequences of a successful social engineering incident?

A breach can result in stolen funds, unauthorized access to systems, identity theft and exposure of sensitive data. Beyond direct financial loss, organizations may face legal liabilities, regulatory penalties and lasting reputational damage. Employees involved in these incidents often experience emotional stress, which reinforces the need for a supportive, blame-free reporting culture.

What are the main techniques attackers use to gain initial access?

Common methods include phishing through email or social platforms, vishing via phone calls, and smishing through text messages. Physical attacks such as tailgating rely on manipulating an employee to grant physical entry. Other tactics include baiting with infected USB drives and quid pro quo techniques, where attackers pretend to offer support or services in exchange for information. These methods exploit trust and familiarity to bypass technical controls.

What is pretexting, and why is it so effective?

Pretexting involves creating a detailed and believable scenario to persuade someone to share information or perform an unusual action. Attackers gather background information from publicly available sources such as LinkedIn, company websites or social media. This research allows them to build a narrative that appears credible, which increases the likelihood that the target will comply.

How do attackers use psychological principles to manipulate victims?

Threat actors take advantage of cognitive biases and emotional responses. Urgency and scarcity force quick decisions without verification. Authority creates pressure to comply with someone who appears to hold power. Personalization builds rapport and trust. Understanding these psychological levers helps security and IT teams design more effective training programs.

How can attackers bypass multifactor authentication using social engineering?

Instead of attacking the technology behind MFA, adversaries target people. They may impersonate IT support to request verification codes or exploit weaknesses in account recovery workflows. In some cases, attackers use MFA fatigue techniques, where repeated prompts wear down the user until they accidentally approve a fraudulent request. These tactics highlight the need for phishing-resistant MFA options.

How is social engineering linked to ransomware operations?

Social engineering is a common first step in ransomware attacks. Phishing is frequently used to deliver malicious links, attachments or initial access malware. Some attackers, known as initial access brokers, specialize in gaining footholds through social engineering and then selling that access to ransomware groups. This makes social engineering a critical threat to incident response and SOC teams.

What security best practices help reduce social engineering risk?

Effective defense requires training that teaches employees how to identify and report suspicious messages, especially those designed to provoke strong emotional reactions. Organizations should implement phishing-resistant MFA for essential services such as email, VPNs and administrative accounts. Consistent reinforcement of policies helps create a culture of healthy skepticism.

Which technical controls are most effective against email and messaging attacks?

A strong DMARC policy reduces the chances of domain spoofing. Email security gateways should filter high-risk messages and block potentially dangerous attachments. Macro-based files sent from external sources should be disabled by default. Together, these controls significantly reduce the likelihood that malicious messages reach employees.

What should employees do when they receive a suspicious or urgent request?

Employees should pause and avoid interacting with links or attachments. If the request appears legitimate, they should verify the sender’s identity using known, trusted contact methods such as a confirmed phone number or manually typed URL. This verification step is essential for preventing successful impersonation attacks.

How can organizations protect users from malicious websites, drive-by downloads, or SEO poisoning?

Protective DNS services block attempts to reach known malicious domains. Application allowlisting and EDR ensure that only approved software can run on endpoints. Sandboxed browsers provide an additional layer of isolation, helping limit the impact of web-based threats. These approaches strengthen defenses against attacks that begin with deceptive links or search results.

How do third parties and MSPs influence social engineering risk?

Attackers often target service providers because of their trusted access to client environments. Organizations should assess the cyber hygiene practices of all third parties and enforce least privilege for the access they receive. Clear contractual requirements and ongoing monitoring help reduce the likelihood that a compromise at a partner organization becomes an entry point into internal systems.