Social engineering is using deception and pressure to make someone perform an unsafe action, like sharing a code, approving a sign-in, installing software, or changing payment details.
It works by exploiting trust and time pressure, not by exploiting a software bug.
Why it matters for account recovery
Many account takeovers and fraud events start as social engineering. Attackers want you to pick the verification method for them, usually a method they can intercept or control.
If you treat verification as a procedure instead of a vibe check, most social engineering attempts collapse quickly.
Common failure modes and misconceptions
- Letting urgency choose the channel: Attackers push you into using links, codes, or phone calls that they control.
- Assuming familiarity equals legitimacy: A compromised account can send "normal" messages. Context can be stolen cheaply.
- Treating email as proof of identity: Email is transport, not identity. Verification needs an independent channel.
Safe best practices
- Normalize a verification rule for high leverage requests: money, access, recovery, and admin changes require an out-of-band check.
- Learn the main delivery variants: phishing, smishing, and vishing.
- Protect the control plane so resets and alerts are not attacker tools (see account takeover).
Related terms
Related guides
Social engineering is predictable. The win condition is a verification process that holds under pressure, not perfect judgment in the moment.