Social engineering attacks do not exploit code. They exploit people. Instead of finding a software vulnerability, an attacker manipulates you into handing over credentials, opening a malicious file, or granting access directly. Technical controls can be bypassed entirely when the human in the loop is the weakest link. This page covers the most common social engineering techniques, the red flags that identify them, and the defenses that work.

Phishing

Phishing is the practice of impersonating a trusted entity — a bank, employer, government agency, or colleague — to trick you into revealing sensitive information or performing an action you wouldn’t otherwise take. The attacker’s goal is almost always one of: steal credentials, deliver malware, or initiate a fraudulent transaction.
Standard phishing casts a wide net. Spear phishing is targeted: the attacker researches a specific individual or organization and crafts a message that looks personally relevant.A spear phishing email might reference your job title, your manager’s name, a recent project, or a vendor your company uses. This research comes from LinkedIn, company websites, social media, and data breaches.Because the message feels specific and legitimate, spear phishing has a much higher success rate than generic phishing. It is the entry vector for the majority of serious corporate breaches.
Whaling is spear phishing directed at high-value targets — executives, CFOs, and other individuals with access to funds, sensitive systems, or strategic information.A common whaling scenario is Business Email Compromise (BEC): an attacker impersonates a CEO and emails the CFO with urgent instructions to wire funds to an account. Because the request comes from “the CEO” and appears urgent, staff may comply without verifying through a second channel.Losses from BEC attacks run into billions of dollars annually.
Vishing uses phone calls rather than email. The attacker calls posing as IT support, a bank fraud team, a government agency, or a vendor.Vishing attacks often create urgency (“your account has been compromised and we need to verify your identity now”) to prevent you from pausing to think or verify. Caller ID spoofing makes it trivial to display a number that looks like it belongs to a legitimate organization.AI-generated voice cloning has made vishing significantly more dangerous: attackers can clone a colleague’s or executive’s voice from a short audio sample and use it to issue convincing instructions.
Machine learning has lowered the cost of producing convincing phishing content at scale. Attackers use LLMs to generate grammatically correct, contextually appropriate messages in any language — eliminating the obvious spelling and grammar errors that used to be a reliable red flag.On the defensive side, ML-based detectors analyze URLs, HTML structure, visual appearance, and domain reputation to flag phishing pages. Attackers respond by perturbing their pages specifically to evade these classifiers — for example, adding invisible HTML noise or using adversarially modified logos that humans read as legitimate but classifiers do not recognize.This is an active arms race: PhishTank (phishtank.org) maintains a live database of verified phishing URLs used by many detection systems.

Spoofing

Spoofing is the act of falsifying identifying information to impersonate a trusted entity. It is often a component of a larger attack rather than an end in itself. Common spoofing techniques:
  • Email spoofing — forging the From: header so an email appears to come from a legitimate address. Without DMARC, DKIM, and SPF configured on the sending domain, this is straightforward.
  • IP spoofing — sending packets with a forged source IP address. Used in DDoS amplification attacks and to evade IP-based blocking.
  • Website spoofing — registering a domain visually similar to a legitimate one (e.g., paypa1.com, arnazon.com) and cloning the real site’s appearance to harvest credentials.
  • Caller ID spoofing — displaying an arbitrary phone number on the recipient’s screen, used in vishing campaigns.
A padlock icon (HTTPS) in the browser confirms the connection is encrypted, not that the site is legitimate. Phishing sites routinely obtain valid TLS certificates for their spoofed domains. Always verify the full domain name, not just the presence of HTTPS.

KARMA attacks

A KARMA attack exploits the way Wi-Fi devices automatically reconnect to known networks. Your device maintains a Preferred Network List (PNL) — a list of SSIDs (network names) you have connected to before. When Wi-Fi is enabled and no known network is in range, many devices broadcast probe requests advertising the SSIDs on their PNL, asking “is this network here?” An attacker listening nearby can capture those probe requests and immediately set up a rogue access point with a matching SSID. Your device, seeing what appears to be a familiar network, connects automatically — without any action from you. Once connected to the rogue AP, the attacker can:
  • Intercept and read unencrypted traffic (credentials, cookies, session tokens)
  • Inject malicious content into HTTP responses
  • Deliver malware by serving malicious files in place of legitimate downloads
Mitigations:
  • Disable Wi-Fi when you are not actively using it, especially in public places.
  • Set known networks to require manual connection rather than auto-joining.
  • Use a VPN, which encrypts your traffic regardless of the network you are on.
  • Prefer HTTPS everywhere — encrypted connections resist interception even on a compromised network.

Corporate espionage

Corporate espionage is the theft of confidential business information — trade secrets, product designs, client lists, financial plans, or strategic roadmaps — for competitive or financial advantage. Attackers include competitors, nation-state actors, and insiders. Methods range from targeted phishing and network intrusion to physical access and insider recruitment. Advanced Persistent Threats (APTs) are the primary actors in high-stakes corporate espionage. APTs are well-funded, patient, and methodical: they may spend months inside a network, moving laterally and exfiltrating data slowly to avoid triggering alerts. Insider threats are particularly difficult to detect because the actor already has legitimate access. A disgruntled employee, a contractor with excessive permissions, or a recruited insider can exfiltrate data in ways that look identical to normal work activity. Defenses:
  • Apply least-privilege access — employees and systems should only access what they need for their current role.
  • Monitor for unusual data access patterns (mass downloads, after-hours access, large outbound transfers).
  • Segment networks so that a compromised endpoint cannot reach everything.
  • Conduct exit procedures that revoke access immediately when employees leave.

Red flags and defenses

Urgency, fear, and authority are the three psychological levers social engineering attacks rely on most. If a message pressures you to act immediately, threatens negative consequences for delay, or invokes someone powerful, slow down and verify through a separate, trusted channel before doing anything.
Red flags in messages:
  • Urgency or threats (“your account will be closed in 24 hours”)
  • Requests to bypass normal procedures (“don’t loop in IT, handle this directly”)
  • Unexpected requests for credentials, payment, or sensitive data
  • Links with domains that resemble but do not exactly match a known organization
  • Attachments you did not request
Organizational defenses:
  • Train staff to recognize phishing and verify unusual requests out-of-band (call the sender back on a number you already have, not one provided in the message)
  • Enforce MFA so that a stolen password alone is not enough to access systems
  • Implement email authentication (DMARC, DKIM, SPF) to reduce spoofed email reaching employees
  • Run regular phishing simulations to measure and improve organizational awareness
  • Establish a clear process for reporting suspicious messages without fear of embarrassment