Social engineering is any attack that manipulates a person into doing something unsafe. The attacker may want a password, MFA code, payment, file download, remote access session, or internal information. Phishing is one form of social engineering, but it is not the only one.
Common social engineering types
- Phishing: fake messages that push links, attachments, or login pages.
- Vishing and smishing: phone and SMS-based manipulation.
- Pretexting: a fabricated story, such as support, HR, bank, delivery, or tax identity.
- Business email compromise: payment or invoice fraud using trust and urgency.
- Tech support scams: fake warnings that push remote access or payment.
| Type | Typical lure | Safe response |
|---|---|---|
| Phishing | Account alert, document, invoice, delivery | Open the service directly, not through the link |
| Vishing | Bank, support, government, delivery call | Hang up and call the official number |
| Smishing | SMS fine, toll, parcel, refund, bank alert | Do not tap; verify in the official app/site |
| Pretexting | Urgent story using authority or trust | Verify identity through a separate channel |
| Tech support scam | Virus alert or subscription charge | Do not install remote access; close the page |
CISA describes phishing and social engineering as attacks that use human interaction to trick users into breaking normal security procedures. The practical defense is to slow the request down and verify it outside the attacker’s channel.
Red flags
- Urgency, secrecy, fear, or pressure to act now.
- Requests for passwords, MFA codes, gift cards, crypto, wire transfers, or remote access.
- Links that do not match the claimed organization.
- Unexpected attachments or shared documents.
- Requests to bypass normal company procedure.
What to do before you act
- Pause and identify the requested action.
- Verify the person or company using a separate known channel.
- Inspect links and domains carefully.
- Do not share one-time codes or recovery codes.
- Report suspicious messages early.
Is phishing social engineering?
Yes. Phishing is one of the most common forms of social engineering.
Can social engineering happen without malware?
Yes. Many attacks steal money or credentials without installing anything on the device.
What is the strongest user habit?
Verify urgent requests through a separate trusted channel before clicking, paying, approving MFA, or sharing data.
Related: types of phishing attacks, phishing vs spoofing, fake Windows Defender alerts.
Sources: CISA social engineering guidance, FBI spoofing and phishing guidance.
