Social engineering
Manipulating a person — rather than exploiting a software flaw — to obtain credentials, money, or access; the umbrella category under which phishing, vishing, and BEC sit.
Social engineering is the practice of manipulating a person into performing an action — handing over credentials, approving a payment, granting access, divulging information — rather than exploiting a software flaw to obtain the same result. It is the umbrella concept under which phishing, spear-phishing, vishing, qishing, OAuth phishing, BEC, pretexting, baiting, and tailgating all sit.
The Verizon DBIR has, year after year, identified the human element — social engineering, error, misuse — in roughly three quarters of breaches. The exact figure shifts annually, but the trendline is consistent: when defenders harden the technical surface, attackers shift load to the human one, because that’s where the path of least resistance is.
Defining mechanisms — what makes social engineering work:
- Authority. Impersonating the CEO, the IT director, ANSSI itself, or a regulator. The target’s cost of refusing seems higher than the cost of complying.
- Urgency. A wire deadline, a “your account will be locked,” a courier window. Time pressure suppresses the verification reflex.
- Reciprocity and rapport. A series of small, helpful exchanges before the ask — common in long-running vishing campaigns against helpdesks.
- Plausibility. OSINT-based personalization — names, projects, calendar entries, recent press — makes the lure indistinguishable from real correspondence.
- Scarcity. A “last seat at the training,” a “limited-time supplier change,” a “one-shot recovery code.” Manufactured scarcity narrows the choice set.
The defensive shift is from “train people not to fall for it” — a battle the knowledge-behavior gap explains is mostly lost — to “measure and reduce the actual fall rate” via realistic simulations and just-in-time nudges tied to the moment of risk. Two further levers reduce the attacker’s input: shrinking public reconnaissance surface (exposed calendars, public Drive folders, oversharing on LinkedIn) and tightening procedural controls (out-of-band callback for payment changes, admin consent policies for OAuth, FIDO2 for any account that can move money or grant access). What remains after all of that is the behavioral residual, and that is the part Engarde is built to address.
Related terms
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- Spear-phishingA targeted phishing attack crafted for a specific person or small group, using public OSINT to reach a credibility that bulk phishing cannot achieve.
- Business Email Compromise (BEC)A targeted fraud in which an attacker impersonates an executive, supplier, or counsel to redirect a legitimate payment — historically the single most financially damaging cybercrime category.
- Vishing (voice phishing)Phishing delivered over a voice call — increasingly combined with an email pretext and, since 2023, with AI-cloned voices of executives and colleagues.
- Qishing (QR phishing)Phishing in which the malicious link is delivered as a QR code rather than text, shifting the click from a managed laptop to an unmanaged personal phone.
- OAuth phishing / consent phishingAn attack that tricks a user into granting a malicious third-party app persistent OAuth access to their mailbox, files, or workspace — bypassing MFA entirely.
- Knowledge-behavior gapThe empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.