Secure or Scam? How to Spot Social Engineering Attacks

Cybersecurity
Written By Roy Williams

Welcome Readers!

As I prepare for the CompTIA Security+ certification, I’ve realized that sometimes the most accessible attack vector isn’t code — it’s human behavior.

Cybercriminals don’t always break in through firewalls — they often just ask you for the keys.

This post dives into how social engineering works, the psychological tricks hackers use, and how you can outsmart them.

What is Social Engineering?

Social engineering is the art of manipulating people into giving up confidential information, access, or taking risky actions. Attackers don’t need to hack a system if they can hack you.

Attackers often use emotional exploitation to create feelings of fear or urgency. An example of this is someone receiving a “Act now or your account will be suspended.” message from their phone provider. This triggers a panic response that may cause people to act without thinking, giving access to sensitive information.

Attackers may also pretend to be someone of Authority. An example can be a worker receiving a message from the “IT department” saying that they detected a problem with their account and would need their logins.

These attacks can also come in physical forms also such as tailgating, where an unauthorized person would try to follow an authorized person into a restricted area without the proper credentials.  

Examples of Social Engineering Attacks

Below are two examples of social engineering attacks through both the digital and physical attack vectors. 

Example 1: Phishing Email — “HR Policy Update”

Here is a screenshot from CanIPhish

We see that the threat actor is masquerading as someone of authority (HR) , hoping to trick the user by taking advantage of what would normally be a routine check of company benefits. The button would likely contain malware or some way to steal the user’s credentials.

Example 2: Tailgating Scenario

It’s 8:53 a.m. and employees are filing into the building just before the workday begins. Lisa, a junior developer, is juggling her laptop bag, phone, and a half-full coffee cup. As she swipes her badge at the side entrance, a man in business casual approaches briskly behind her.

“Oh man, thank you!” he says, slightly out of breath. He’s holding a coffee that’s dripping down his hand and a box labeled “IT Equipment – RMA Returns.”

“Sorry, I spilled this in the car and I’m late getting this stuff to the helpdesk. Appreciate you!”

Caught off guard and seeing the familiar cardboard Dell box, Lisa holds the door. He smiles and walks in. He doesn’t swipe a badge. She assumes he’s with IT.

He thanks her again, walks quickly past reception, and disappears down the hallway—unquestioned, unauthenticated.

What Went Wrong?

No badge was checked. Social engineering used everyday relatability (coffee spill) to disarm suspicion. There was also a sense of urgency as the coffee spill and lateness push the target to react fast and avoid awkwardness. Lastly there was a social pressure as Lisa doesn’t want to seem rude by stopping him.

Defenses That Work

As recognizing the trick is half the battle. The other half is building habits that resist manipulation. Here are some tips:

  • When receiving a suspicious message or phone call: Slow down. Urgency is a red flag. 

  • Always be sure to verify requests through a second channel. Don’t be afraid to say “no” or escalate. Remember Lisa’s story.

  •  And lastly, be sure to trust your instincts — if it feels off, it probably is.

Conclusion

In cybersecurity, we defend systems. But to defend people, we need to understand them. Social engineering shows us how humans — not just machines — are part of the attack surface.

This touches on domain 1 of the Comptia Security+ which covers social engineering tactics because they are foundational threats. As I continue preparing for the Security+ exam, I’ll keep exploring the human side of hacking — and sharing what I learn so you can stay safe, too.

Roy Williams
Next

My Cyber Attack Experience: A Lesson in Response