What is social engineering?

People can be manipulated. Some easier than others. In social engineering, this is used by cybercriminals. They use human psychology to extract confidential information from employees in order to gain access to systems to steal data, money and more. Cyber-criminals frequently use this 'social' and non-technical strategy to carry out targeted and broadly oriented attacks.

Types of social engineering attacks

Attackers have developed different ways to get your data. We have listed the seven most important ones.


This is the most common variant of social engineering. Phishing occurs when a hacker fraudulently communicates with a victim. The communication message seems very real. For example, the communication message encourages the recipient to click on a link in an email or download an attachment in an email message. This misleads the recipient because the link or attachment directly infects the device with malware. Malware, on the other hand, can also share personal, financial or business information with the cyber-criminal.

Business email compromise (BEC) is a form of phishing in which the login credentials of a corporate email account are stolen. BEC primarily occurs between businesses and organisations.


This variant is similar to phishing. But what makes it different is the promise of an item or product that attackers use to seduce victims. For example, they use the offer of free music or movie downloads. In this way, they want to seduce users to share their login details. Another way of baiting is when they leave a malware-infected device, such as a USB stick, in a place where someone is most likely to find it. This is based on our innate sense of curiosity; someone connects the USB stick to the laptop, and as a result, the laptop is infected with malware, perhaps even without the user noticing it.


This type targets senior executives and other high-profile targets within businesses. The messages are designed to look like critical business communications that require immediate attention.


Pretexting occurs when an attacker fabricates a false background story to manipulate a victim's access to sensitive data or protected systems.

Quid pro quo

A quid pro quo attack occurs when attackers request private information from someone in exchange for something or some type of compensation.

Spear phishing

Spear phishing is a very targeted form of a phishing attack. Spear phishing focuses on a specific individual or organisation. Spear phishing attacks are effective because the sender of an email or private message on social media, for example, matches a known person, a colleague or an employer. As a result, trust is gained in the recipient and the sender appears to be legitimate. People have much to do with spear-phishing attacks because email security is not in order, for example. After all, it seems as if the director is the sender of the email. For more information on email security, read our expert blog 'Decoding email security'.


Tailgating is a physical social engineering technique that occurs when someone, without proper authentication, follows an authorised employee to a secure location. For example, the person may impersonate a delivery person and walk with an employee to deliver a parcel. The purpose of tailgating is to gain valuable (intellectual) property, confidential business information or access to a secure location. This does not work at all companies. In larger organisations, you often need keycards to get past doors. In medium-sized companies, attackers often get the chance to have conversations with employees and use this familiarity to get past the counter.

Placeholder for Two engineers laughing behind screenTwo engineers laughing behind screen

How do you protect yourself against social engineering?

Protecting against social engineering attacks involves a mix of awareness, vigilance, and appropriate security measures. Here’s how you can safeguard yourself and your organisation:

Educate yourself

Ignorance is your biggest weakness and is extremely easy to exploit, making the uneducated the main target for attackers. Knowing what to look for and best practice techniques are your first and best layer of defence.

Be aware of the information you are releasing

This encompasses both verbal and social media. Sites like Instagram, Facebook and X are abundant sources of information and resources, from pictures to interests that can be played upon. A simple Google Maps search of your home or work address gives a bird’s eye view of the building and its surroundings.

Use Multi-Factor Authentication (MFA)

MFA adds an extra layer of protection, making it more difficult for attackers to gain access to your systems, even if they manage to get hold of user credentials. In this article, we explain more about the challenges with passwords.

Determine which of your assets are most valuable to criminals

Make sure you are protecting the right thing! When deciding which assets are most valuable to an attacker be sure not to focus solely on what you or the business find to be most valuable. Cyber attackers are interested in anything they can monetise.

Enforce and follow policies

After identifying which assets are most tempting to attackers, and the pretext they are likely to use to target it, write a security policy – and follow it! In a business context, all employees need to play their part. Everyone is a potential doorway into the business and its assets. It only takes one door to be ajar for an attacker to gain access

Keep your software up-to-date

Attackers using social engineering techniques are often seeking to determine whether you are running unpatched, out-of-date software. Staying on top of patches and keeping your software updated can mitigate much of this risk.

Incident response plan

Have a clear plan in place for responding to security incidents, including suspected social engineering attempts. This should include who to contact and steps to follow if someone suspects they are a target.

Don’t be the weak link… Be smart, be vigilant, be cyber secure!

Continuous practice

Today’s threat landscape poses a real risk to your sensitive data, profitability, and reputation. Cybersecurity must be a continuous practice that requires a clear understanding of how users, customers and applications access data and how devices are configured.

Nomios Netherlands has specialised in assessing, building, and managing enterprise information security for over 20 years. Our extensive engineering experience gives us an opportunity to develop security strategies and solutions that respond to your evolving business challenges.

Our expert security team helps you limit risk from modern-day threats.

Numbers don't lie

Social engineering by numbers

icon 98%
98% of all cyber attacks are dependent on social engineering
icon 56%
56% of IT decision makers say targeted phishing attacks are their biggest security threat
icon 66%
66% of all malware is installed via malicious e-mail attachments
icon $2.4
The average cost of a malware attack for an organisation is $2.4 million.
icon New employees
New employees
New employees are most susceptible to social engineering attacks, 60% of IT professionals say they are at high risk.
icon 3%
Only 3% of targeted users report malicious emails to management
Get in touch with our experts

Our team is ready for you

Do you want to know more about this topic? Leave a message or your number and we'll call you back. We are looking forward to helping you further.

Placeholder for EmailEmail
Send a message

More updates