All

Social Engineering – How Hackers Trick People Not Computers

Think hackers only target computers? Think again. Learn how scammers exploit trust with phishing, fake calls, and USB attacks, and discover simple steps to protect yourself.

Social Engineering – How Hackers Trick People Not Computers

When people think of hackers, the image that comes to mind is probably that of someone in a dark hoodie, typing furiously in their basement. But in reality, many of the most successful cyberattacks don’t rely on complex tools or advanced exploits. They rely on something much simpler: people.  

In my previous blog, we examined phishing, one of the most common forms of social engineering. But phishing is just one piece of a much bigger puzzle. Social engineering covers a wide range of tactics designed to manipulate human behaviour and exploit trust.  

People are the weakest security link in any organisation, company, school, or even in the household. Everywhere.  

What is Social Engineering?  

Social engineering is the art of manipulating or deceiving someone to give you information, access, or money. This could be through a dodgy email, a text message, or even a phone call. The goal is to get you to do something, like:  

  • Click a link  
  • Hand over information  
  • Provide access details  
  • Hand over money  
  • Plug in a device you shouldn’t  
  • Provide login credentials (username/email/password).  

It’s not always obvious, and the most dangerous social engineering attacks are the ones that look the most legitimate.  

Real-World Examples  

  1. “Hi Mum” WhatsApp scam  

Someone messages you pretending to be your son or daughter with a new number. They say they’ve lost their phone and urgently need help transferring money. Thousands have fallen for it because it pulls on your emotions.  

  1. Phishing email exposes the Democratic National Committee  

One of the most high-profile examples of social engineering happened during the 2016 U.S. election, when attackers gained access to the Democratic National Committee (DNC) emails.   

Hillary Clinton’s campaign chairman, John Podesta, received an email saying his Google account had been compromised and that he needed to reset his password. It looked urgent and official. He clicked the link, entered his login details, and just like that, the attackers had access to his emails. From there, they exfiltrated thousands of private messages, which were later leaked online, causing massive political fallout.   

  1. Fake IT Support Call compromises MGM resorts  

In 2023, MGM Resorts was hit by a ransomware attack so bad that it shut down slot machines, digital room keys, booking systems, and even the lifts. How did it all start? With a phone call. A hacker rang the company’s IT help desk pretending to be a staff member and claimed they’d forgotten their password. All they had to do was provide a few bits of personal information: their name, date of birth, and employee ID, and the help desk reset the account. Job done. The real employee noticed the change too late, and by then, the attacker had access to MGM’s internal systems. Things escalated quickly from there with the hacker's deploying ransomware and causing millions in damage, all from one convincing phone call.   

  1. Stuxnet: The USB that sabotaged Iran’s Nuclear Plant  

Stuxnet is one of the most famous examples of a cyberattack that started with a USB stick. In 2010, what was deemed the first known cyberweapon was allegedly created by the U.S.A. and Israel to sabotage Iran’s nuclear programme. A piece of malware was placed on a USB stick, which affected machines controlling machinery and instructed them to behave abnormally, spinning uranium centrifuges until they broke, whilst reporting that everything was fine. Stuxnet was proof that you don’t need to fire a missile to take down infrastructure, just leave the wrong USB stick in the right place.  

Why Social Engineering Works  

Social engineering works so well because it bypasses the tech and goes straight for the human. Hackers know that even with all the firewalls, endpoint protection, and monitoring in the world… people are still fallible.  

We’re busy. We’re tired. We want to help. We don’t want to question a message from our boss or a phone call from IT. Social engineers know how to exploit this by creating urgency, fear or authority. Also note that all social engineering attempts require you to take an action, like clicking on a link, giving up information or money.  

How to Protect Yourself from Social Engineering  

You don’t need to be technical to avoid social engineering. You just need to stay vigilant, suspicious, and slow down.   

  • Always question urgency – if it says “act now” or “do this immediately” – this is usually a red flag.  
  • Don’t click links on unexpected messages – the best thing you can do, is make your own way to the site. Search for it yourself in the search engine rather than clicking on a link.  
  • Verify – call back using a known number, not the one they contacted you on.  
  • Be cautious with unknown devices - Never ever pick up external devices that you do not trust or know where they have originated from. For example, do not ever plug in a random USB stick.  

Cybersecurity isn’t always about flashy gadgets or highly technical attacks, and we don’t all act and look like Q from James Bond. Some of the most effective and damaging attacks begin with simple tricks like a convincing lie and a well-timed message.  

Social engineering works because it targets people, not machines; it preys on trust, curiosity, and emotion. To avoid falling into the trap, stay aware, question unexpected requests, and always verify before responding. 

Always remember: if something feels off, pause and follow the safety steps outlined above. Staying alert is key to preventing social engineering attacks. 

Read more