Your firewall is configured. Your antivirus is up to date. Your server is patched. None of it matters if someone emails your accounts team pretending to be the CEO and asks them to transfer $15,000 to a new supplier account. This is social engineering — and it's behind the majority of successful business attacks.
The Verizon Data Breach Investigations Report (DBIR) consistently finds that the human element is involved in over 74% of data breaches. Not software vulnerabilities. Not sophisticated zero-day exploits. People. Being manipulated, deceived, or making a mistake under pressure. That number hasn't meaningfully declined in years because technology keeps improving while human psychology stays roughly constant.
What social engineering actually is
Social engineering is the use of psychological manipulation to get people to take actions or reveal information they otherwise wouldn't. It's as old as con artistry — what's changed is the scale, speed, and targeting precision that modern technology enables. An attacker who would once have had to call you directly can now send thousands of personalised phishing emails in an afternoon, or research your company structure on LinkedIn before crafting a message that sounds exactly like it came from your CTO.
The common thread across all social engineering attacks is exploitation of trust. Attackers impersonate authority figures, create artificial urgency, and leverage information you've made publicly available — your role, your company, your colleagues' names — to manufacture credibility.
The main types you'll encounter
Phishing
The most common and most effective. A deceptive email that appears to come from a trusted source — your bank, a courier service, Microsoft, your own CEO — designed to get you to click a link, enter credentials, or transfer money. Modern phishing is increasingly targeted (called spear phishing) and often indistinguishable from genuine communications. The New Zealand NCSC consistently lists phishing as the top initial access vector for incidents they respond to.
Vishing
Voice phishing — phone calls. An attacker calls pretending to be IT support, your bank's fraud team, IRD, or a senior colleague. The human voice creates a sense of immediacy and authority that email doesn't. With AI voice cloning now accessible to anyone, attackers can convincingly impersonate known individuals using just a short audio sample scraped from social media or a YouTube video.
Pretexting
Building a fabricated scenario (the pretext) to extract information or access. Classic example: an attacker calls your receptionist claiming to be from a vendor who needs to confirm some account details before processing a delivery. The receptionist is just trying to help. The attacker walks away with names, account numbers, or internal process knowledge that can be used in follow-up attacks.
Baiting
Leaving infected USB drives in car parks, lobbies, or near building entrances. It sounds low-tech, but it works. The curiosity to see what's on an unlabelled drive — or a drive labelled "Payroll Q1 2026" — is hard to resist. Plug it in, and you've handed an attacker a foothold on your network.
Tailgating
Physical social engineering — following an authorised person through a secure door without badging in. Usually executed by carrying boxes, appearing distracted, or simply looking like you belong. Smaller businesses are more vulnerable because staff are less likely to challenge an unfamiliar face.
Business Email Compromise (BEC) — a specific social engineering attack where attackers impersonate executives to authorise fraudulent payments — cost businesses globally over USD $2.9 billion in losses in a single year according to FBI IC3 data. This is not a large-enterprise problem. Small businesses are disproportionately targeted because they have less oversight and fewer approval controls.
Why it works — the psychology
Social engineering exploits specific, well-documented psychological triggers. Understanding them makes you better at recognising attacks in the moment.
- Authority: We're conditioned to comply with figures of authority. An email that appears to be from your CEO requesting urgent action bypasses normal scepticism.
- Urgency and scarcity: "You need to do this now or the account will be suspended" short-circuits rational evaluation. Urgency is almost always manufactured.
- Social proof: "Your colleague already confirmed their details" — if others have done it, it must be legitimate.
- Reciprocity: An attacker who does something helpful (fixes a "problem" they created) expects compliance in return.
- Liking and familiarity: We're more compliant with people we like or find familiar. Research into your company before an attack creates artificial familiarity.
How to train against it — practically
Security awareness training doesn't have to be a death-by-PowerPoint compliance exercise. Here's what actually reduces risk:
Run simulated phishing campaigns
Tools like KnowBe4 let you send realistic phishing simulations to your own staff and track who clicks. The goal isn't punishment — it's identifying who needs more support and making the experience of spotting a phishing attempt a regular, low-stakes part of working life. Staff who've been "caught" by a simulation are measurably more vigilant afterwards.
Create a culture of verification
The single most effective behavioural change: normalise calling back to verify unusual requests. If your "CEO" emails asking for an urgent bank transfer, call them on a number you already have — not one provided in the email. A 30-second phone call kills most BEC attacks dead. Make it the expected process, not an insult to the person who sent the request.
Set clear financial controls
Any payment above a set threshold should require approval from two people via two separate channels. This isn't just an accounting control — it's a social engineering control. An attacker can compromise one channel; compromising two simultaneously is much harder.
Unusual urgency or pressure to act fast — requests to bypass normal processes "just this once" — unexpected requests involving money, credentials, or access — sender addresses that look right but aren't (ghost-routine.com vs ghostroutine.com) — anything that arrives out of context, like a courier notification when you haven't ordered anything.
Physical security isn't optional
Brief all staff on tailgating — it's okay to politely challenge someone who has followed you through a door. Establish a visitor sign-in process. Don't leave sensitive documents on desks or screens visible through windows. These feel obvious until you realise most breaches happen because the obvious things weren't done.
The uncomfortable truth about social engineering is that no amount of technology fully stops it. Your best defence is a team that's been trained to pause, verify, and question — particularly when something feels even slightly off. That reflex can be developed. It just has to be intentionally built, not assumed.
Security starts at your front door — digital and physical. GhostRoutine builds websites with security fundamentals built in. If you want to understand your current exposure, let's talk.
Book a free call →