Is my file uploaded to your server?

No. Your file never leaves your device. We compute its SHA-256 fingerprint locally and only send that hash to check against malware databases.

Is SafeSearchScan free?

5 file scans per month, URL checks, email breach lookups, SSL checker, DNS lookup are all free with no credit card required.

How does SafeSearchScan detect malware?

We check your file's SHA-256 fingerprint against MalwareBazaar and HybridAnalysis behavioral sandbox databases, then use AI to explain what was found in plain English.

Threat Guide10 min readMarch 2026

What Is Social Engineering? 6 Attack Types to Know (2026)

The most sophisticated firewall in the world cannot stop an employee who has been tricked into handing over their credentials voluntarily. Social engineering attacks human psychology — not software. Understanding the 6 main attack types is the first step to defending against them.

Quick Answer

Social engineering is any technique that manipulates people into revealing information or taking actions that compromise security. Unlike hacking, it exploits human psychology — trust, authority, urgency, fear, and helpfulness — rather than software vulnerabilities. The 6 main types are: phishing, pretexting, baiting, tailgating, quid pro quo, and watering hole attacks.

Social engineering — the numbers

98%

Of cyberattacks rely on social engineering

$2.4M

Average BEC (Business Email Compromise) loss

Phishing emails sent daily

70%

Of people will open an email from an unknown sender

Why Social Engineering Works on Everyone

Social engineering works not because people are stupid, but because it exploits genuinely useful human traits. In a safe environment, responding to authority, trying to be helpful, and trusting people who know details about you are all appropriate behaviours.

Attackers study psychological principles and apply them deliberately:

Authority: "This is Microsoft Support / HMRC / your manager." People comply with authority figures even when suspicious.
Urgency: "Your account will be suspended in 24 hours." Panic bypasses careful thinking.
Social proof: "Your colleague John already confirmed his details." Conformity makes people follow perceived norms.
Reciprocity: "I helped you with X — now I just need you to confirm Y." We feel obligated to return favours.
Scarcity: "This offer expires in 10 minutes." Scarcity creates urgency to act without reflecting.
Liking: Attackers build rapport, share common interests, and mirror the target's communication style to build trust.

6 Social Engineering Attack Types Explained

Phishing

Email / SMS / Voice

Mass or targeted communications that appear to be from trusted sources, designed to trick recipients into clicking links, downloading attachments, or revealing credentials.

Variants:

Spear phishing: Targeted at specific individuals using personalised information
Whaling: Targets executives (CEO, CFO) for high-value fraud
Smishing: SMS-based phishing ("Your package is held — click here")
Vishing: Voice call phishing, often impersonating banks or HMRC/IRS

Real-world example:

In 2020, attackers called Twitter employees, posed as IT support, and convinced them to provide credentials. The result: 130 high-profile accounts compromised, including Barack Obama and Elon Musk, used to run a Bitcoin scam.

How to defend against it:

Verify unexpected requests via a separate channel. Check email headers. Never provide credentials to someone who called you.

Pretexting

Phone / Email / In Person

Creating a fabricated scenario (the "pretext") to manipulate a victim into providing information or taking action. The attacker researches the target extensively to make their story believable.

Variants:

IT impersonation: "This is IT support — we detected a problem with your account"
Survey fraud: Posing as a researcher to gather personal data under cover of a survey
Authority impersonation: Posing as HMRC, IRS, police, or company executives

Real-world example:

In the Hewlett-Packard pretexting scandal, a contractor obtained private phone records of board members and journalists by impersonating them to phone companies — providing enough personal information to pass identity checks.

How to defend against it:

Treat all unsolicited contacts requesting information or action with suspicion. Establish a verification procedure and follow it regardless of urgency.

Baiting

Physical / Digital

Leaving physical media (USB drives, CDs) or digital lures containing malware in places where targets will find them, relying on human curiosity to trigger the attack.

Variants:

USB drop: Infected USB drives left in car parks, reception areas, or lifts
Free download bait: Free software, music, or movies that bundle malware
QR code bait: Fake QR codes in public places redirecting to malicious sites

Real-world example:

A 2015 experiment by the University of Illinois dropped 297 USB drives in public areas. 45–98% were picked up and plugged in. One in four users opened files that would have executed malware in a real attack.

How to defend against it:

Never plug in a USB drive you found or received unexpectedly. Scan QR codes with a scanner that previews the URL before loading. Use SafeSearchScan's URL checker for any URLs from QR codes.

Tailgating / Piggybacking

Physical

Gaining physical access to restricted areas by following an authorised person through a secured door, often by exploiting politeness — most people hold doors open when asked.

Variants:

Delivery impersonation: Carrying boxes to justify asking someone to hold the door
Distraction entry: Creating a diversion while an accomplice enters through a secured door

Real-world example:

During penetration testing exercises, security researchers routinely gain access to corporate offices simply by wearing a suit and carrying boxes, timing entry with legitimate employees. Most companies have no formal tailgating countermeasures.

How to defend against it:

Never hold secure doors open for people you don't recognise. Challenge unfamiliar people politely. Physical security is as important as digital security.

Quid Pro Quo

Phone / Email

Offering something of value in exchange for information or access. Attackers exploit reciprocity — the human instinct to return favours — to extract credentials or access.

Variants:

IT assistance: "I'll fix your computer problem if you give me temporary access"
Survey rewards: Offering gift cards or prizes in exchange for detailed personal information
Tech support scam: Cold-calling and offering free "virus removal" in exchange for remote access

Real-world example:

Tech support scammers cold-call victims, claim their computer has a virus (often citing a fake "Windows error"), and offer to fix it remotely — gaining full access to the machine, financial accounts, and personal files.

How to defend against it:

Be suspicious of anything offered unsolicited. Legitimate IT support does not cold-call. Never grant remote access to someone who contacted you.

Watering Hole Attack

Digital / Website

Rather than targeting victims directly, attackers compromise websites the target is known to visit ("the watering hole"), infecting all visitors who trust those sites.

Variants:

Industry site compromise: Compromising a niche industry website frequently visited by a target organisation
Supply chain attacks: Infecting software used by the target via a compromised vendor

Real-world example:

In 2021, attackers compromised a website used by security researchers at Google, installing malware that targeted visitors' Chrome browsers. The site appeared completely legitimate to its victims.

How to defend against it:

Keep browsers and plugins updated. Use browser-level protection. Check URLs with a URL checker, even for familiar sites if behaviour seems unusual.

Check Suspicious Emails & Links Instantly

When you receive an unexpected email or link, verify it before clicking. Our URL checker and email header analyzer are free and take seconds.

Check a URL →Analyze Email Headers →

General Defences Against Social Engineering

While no technique stops all social engineering attacks, these habits dramatically reduce your risk:

1
Slow down: Urgency is the attacker's tool. If you feel pressured to act immediately, that's a red flag. Take 60 seconds to verify before acting.
2
Verify out-of-band: If someone calls claiming to be IT support or your bank, hang up and call back on a number you know to be legitimate — not one they gave you.
3
Think before you click: Hover over links, check sender email addresses, and run any suspicious link through a URL checker before visiting.
4
Least privilege principle: Share only the minimum information necessary. Legitimate organisations rarely need the specific details social engineers ask for.
5
Trust your instincts: If something feels off — the caller is too familiar, the request is unusual, the urgency seems manufactured — it probably is. Verify before proceeding.
6
Report suspicious contacts: In a work context, report suspicious calls or emails immediately so colleagues can be warned. At home, report phishing to Action Fraud (UK) or the FTC (US).

🧠

Detect Spear Phishing Attacks — Free

Paste a suspicious email or message and our AI analyzes it for social engineering patterns, urgency tactics, and impersonation signals.

Analyze a Message Free →

Frequently Asked Questions

Why is social engineering so effective?

Social engineering exploits fundamental human psychology: our desire to be helpful, our tendency to trust authority, our fear of consequences, and our inclination to act quickly under pressure. No software patch can fix human instincts. Attackers study psychological principles like reciprocity, social proof, scarcity, and urgency — the same principles used in marketing — and weaponise them. Awareness is the only defence, which is why training matters.

What's the difference between social engineering and phishing?

Phishing is one type of social engineering — specifically, the type conducted via email (or SMS as "smishing", or phone as "vishing"). Social engineering is the broader category of any manipulation technique that exploits human psychology to gain unauthorised access or information. All phishing is social engineering, but social engineering also includes pretexting, baiting, tailgating, quid pro quo attacks, and more.

How can I protect my organisation from social engineering?

The most effective defences are: (1) Regular security awareness training for all staff, including simulated phishing tests; (2) Strict verification procedures for any request involving access, payments, or sensitive data; (3) A "verify out-of-band" policy — always confirm suspicious requests via a separate channel (call the person back on a known number); (4) Clear reporting mechanisms so employees feel safe reporting suspicious contacts; (5) Technical controls like email authentication (SPF/DKIM/DMARC) that reduce spoofing.

Can social engineering attacks happen in person, not just online?

Absolutely — in-person social engineering was common long before the internet. Tailgating (following someone through a secure door) and impersonation (posing as a delivery person, IT technician, or inspector) are physical social engineering attacks. Even "dumpster diving" — going through rubbish for documents containing useful information — is a recognised social engineering technique.

Related Guides

How to Spot a Phishing Email

9 warning signs to check every time

How to Spot a Fake Website

9 warning signs that expose fraudulent sites

How to Tell If an Email Is a Scam

8 red flags that identify scam emails

Clicked a Phishing Link?

What to do in the next 60 minutes

What Is Malware?

8 types explained with real examples

How to Prevent Identity Theft

10 protective habits to set up today