Social Engineering: Why Hackers Target People, Not Just Systems

In 2020, a teenager convinced Twitter employees to hand over internal admin tools by impersonating an IT staff member on the phone. The attacker then took over accounts belonging to Barack Obama, Elon Musk, and Apple — not through technical hacking, but through social engineering.

Common Social Engineering Tactics

• Pretexting — Creating a fabricated scenario (“I’m from IT and need your login to fix an urgent issue”).
• Vishing — Voice phishing calls impersonating banks, tech support, or government agencies.
• Baiting — Leaving USB drives in car parks, knowing curious employees will plug them in.
• Quid pro quo — Offering help or a reward in exchange for information.
• Tailgating — Following an authorised person through a secure door.

Why It Works

Social engineering exploits fundamental human traits: helpfulness, authority bias, urgency, curiosity, and the desire to avoid conflict. Security training that makes users paranoid and unhelpful is counterproductive. The goal is to build confident, calm verification habits — not fear.

Building Resistance

Legitimate IT teams, banks, and government agencies will never pressure you to act immediately, share credentials, or bypass normal procedures. When in doubt, hang up or close the email and call the organisation back on a number from their official website. This simple habit defeats the vast majority of social engineering attacks.