What is social engineering
In this guide & where to go next
Part of the Small Business Cybersecurity series. Related: Password Best Practices For BusinessHow To Spot A Phishing Email
Want it handled? IT Cares — hands-on managed IT across Canada.
Social engineering is the art of manipulating people into giving up confidential information, access, or money — exploiting human trust rather than technical flaws. Instead of hacking systems, attackers "hack" people through phishing emails, fraudulent phone calls, fake identities, and psychological pressure. Because it targets human nature, social engineering bypasses even strong technical defences, making employee awareness the most important protection a Canadian business can build.
Common social engineering tactics
Attackers have a well-worn playbook of techniques:
- Phishing: deceptive emails (and texts or calls) that trick people into clicking, sharing, or paying.
- Pretexting: inventing a believable scenario, like posing as IT support or a vendor.
- Baiting: offering something tempting — a free download or a found USB drive — laced with malware.
- Tailgating: physically following an employee through a secured door.
- Business email compromise: impersonating an executive or supplier to authorize fraudulent payments.
What unites them is misuse of trust, authority, or helpfulness. The technology is often incidental; the real target is a person's instinct to comply.
The psychology attackers exploit
Social engineering works because it pulls on predictable human levers:
- Authority: we tend to obey perceived bosses, officials, or experts.
- Urgency: pressure to act fast short-circuits careful thinking.
- Fear: threats of penalties or lost access prompt rash compliance.
- Trust and helpfulness: most people want to be cooperative.
- Curiosity and greed: tempting offers lower our guard.
Understanding these triggers is a defence in itself. When an email or call makes you feel rushed, scared, or eager to help an unexpected request, that emotional spike is a cue to stop and verify. Attackers depend on you reacting before reflecting.
Real-world business scenarios
Social engineering shows up in everyday situations that look routine:
- A caller claiming to be from "IT" asks an employee to confirm their password to "fix" an issue.
- An email appearing to be from the CEO requests an urgent, confidential wire transfer.
- A "supplier" emails new banking details for an upcoming invoice payment.
- A fake delivery notice prompts staff to log in on a spoofed page.
Each preys on normal workplace behaviour — being helpful, responsive, and deferential to authority. Because nothing technically "breaks," these attacks slip past firewalls and antivirus entirely. The defence is procedural and human: verify unusual requests independently before acting.
Defending against social engineering
Since social engineering targets people, your strongest defences are awareness and process:
- Train staff regularly to recognize tactics and emotional manipulation.
- Verify independently: confirm sensitive requests through a separate, known channel.
- Establish strict procedures for payments and banking changes — never on a single email or call.
- Enable MFA so a tricked password doesn't grant access.
- Foster a blame-free reporting culture so staff flag suspicious contact quickly.
Technical controls like MFA and email filtering reduce the damage, but a trained, sceptical workforce is the real firewall. For Canadian businesses, documented awareness training also supports PIPEDA and Law 25 due-diligence obligations.
FAQ
How is social engineering different from hacking?
Traditional hacking exploits technical weaknesses in software or systems. Social engineering exploits human psychology instead — manipulating people into granting access, sharing information, or sending money. It often requires no technical skill at all. Because it bypasses firewalls and antivirus by targeting staff directly, awareness and verification habits are the primary defence rather than technology alone.
Why is social engineering so effective?
It exploits deep human instincts — to trust authority, help others, and respond to urgency or fear. These reactions are hard to switch off, and attackers craft scenarios that feel completely legitimate. Even security-conscious people can be fooled by a convincing, well-timed request. That's why ongoing training and a habit of verifying unusual requests are essential defences.
How can employees protect against social engineering?
Stay sceptical of unexpected requests, especially those involving money, passwords, or urgency. Verify independently by contacting the person through a known, separate channel before acting. Never share credentials or approve payments based on a single email or call. Report anything suspicious promptly. Combined with MFA and regular training, these habits stop most social-engineering attacks.