Social engineering and phishing
Social engineering attacks target people instead of software flaws. The attackerβs goal is to manipulate trust, urgency, fear, or routine behavior so a victim reveals information, clicks a link, opens a file, or grants access.
Interview answer
"Social engineering is the use of deception and psychological manipulation to make a person reveal sensitive information or perform an unsafe action. Phishing is one of the most common examples because it tricks users through email, messages, or fake websites rather than by directly exploiting software."
Why these attacks work
Attackers often rely on a few recurring tactics:
| Tactic | What it looks like |
|---|---|
| Authority | Pretending to be a manager, executive, bank, or IT team |
| Urgency | Claiming an account will be locked or payment is overdue |
| Fear | Threatening a penalty, breach, or disciplinary action |
| Curiosity | Offering a document, invoice, or confidential file |
| Familiarity | Mimicking a coworker, vendor, or internal process |
Common phishing types
| Type | Meaning | Example |
|---|---|---|
| Phishing | Broad message sent to many users | Fake bank or Microsoft 365 email |
| Spear phishing | Targeted message aimed at a person or team | Email crafted for HR, finance, or a manager |
| Whaling | Spear phishing aimed at executives | Fake legal notice or urgent wire instruction |
| Smishing | Phishing through SMS | Delivery message with a malicious link |
| Vishing | Phishing through phone calls | Caller pretending to be support or a bank |
| Business email compromise | Abuse of a real or spoofed business email account | Fake invoice or payment redirection |
Other social engineering techniques
| Technique | Meaning | Example |
|---|---|---|
| Pretexting | Inventing a believable scenario to request information | Fake IT support call |
| Tailgating | Entering a restricted area by following an authorized person | Walking through a badge door behind an employee |
| Baiting | Leaving something tempting for the victim to use | Malicious USB drive labeled with payroll data |
| Quid pro quo | Offering help or a reward in exchange for information | "I can fix your laptop if you share your credentials" |
How organizations reduce the risk
- run security awareness training regularly
- use MFA so a stolen password is not enough
- improve email filtering and domain protections such as SPF, DKIM, and DMARC
- require stronger approval workflows for payments and sensitive requests
- use EDR and web protections in case a user clicks anyway
Common interview questions
What is the difference between phishing and spear phishing?
Answer: Phishing is a broad attack sent to many people, while spear phishing is tailored to a specific person or group using details that make the message more believable.
How do you reduce the risk of a whaling attack?
Answer: Use executive awareness training, stronger email filtering, MFA, and approval controls for sensitive actions such as wire transfers, access changes, or legal document handling.
What is pretexting?
Answer: Pretexting is when an attacker invents a believable story or role to persuade a victim to share information or perform an action they would normally refuse.