UrusMail LogoUrusMail
All articles
Social EngineeringMarch 12, 20268 min

Social Engineering: When They Hack the Human, Not the System

Why Is the Human the Weakest Link?

Modern security systems block technical attacks well. But no firewall protects you from a "bank security" phone call that convinces you to transfer money to fraudsters yourself.

Social engineering is manipulation of people, not machines. It exploits fundamental psychological mechanisms.

Key Psychological Triggers

Authority — the attacker poses as a boss, IT staff, or tax inspector. "This is your system administrator, I urgently need your password for maintenance."

Urgency — time pressure disables critical thinking. "If you don't confirm your details right now, your account will be frozen."

Reciprocity — the fraudster does something "nice" first, then asks for a favor.

Social proof — "all your colleagues have already completed the system update."

Scarcity — "this offer is only for the first 10 customers."

Liking — the attacker builds rapport before making a request.

Common Scenarios

Pretexting

The fraudster creates a plausible "legend" — poses as IT support, a new employee, or an auditor. Calls and systematically asks questions, gathering data.

Baiting

A USB drive labeled "Salaries 2026" left in the office elevator. 45% of people plug in found drives.

Quid Pro Quo

"I'm from IT, are you having computer problems?" — offers "help" in exchange for access credentials.

Tailgating

Physical access to a secured area — the attacker asks someone to hold the door while carrying boxes.

How to Protect Yourself

  1. Verify callers: hang up and call back using the official number
  2. Don't yield to urgency — legitimate organizations give you time to think
  3. Zero-trust policy: no passwords or codes over phone or chat
  4. Employee training: regular social engineering simulations
  5. Use temporary contacts when dealing with unfamiliar organizations — a temporary email instead of your real one, so you don't expose your main contact point

Test: Spot the Attack

"Hello, this is Alex from IT Security. We detected unauthorized access to your account from Germany. To block the attacker, I need your current password and the SMS code right now."

This is classic pretexting with authority, urgency, and fear triggers. Correct response: hang up and contact IT via the company's internal number.

All articles