What is social engineering?

The term ‘social engineering’ refers to the use of human psychology to manipulate people for a particular end. As traditional cyber security has become increasingly more effective, hackers have turned to social engineering as their primary means of getting around hardened infrastructure and gaining access to privileged systems. The most successful and damaging attacks all begin this way now.


Skilled social engineers begin by analyzing OSINT to look for targets. OSINT stands for open-source intelligence and can be any information that is publicly available, whether online, in print, or through other mediums, about an individual or organization. This information, or data, tells the social engineer who is valuable and easy to compromise. The social engineer weighs the data itself to select a target, and then that target’s data is also used to create an attack plan. This plan will invariably involve manipulating someone into willingly handing over either personal information, or an organization’s proprietary secrets and sensitive data.

How a social engineer operates…


Before an attack begins

The social engineer searches for information and selects a vulnerable target


Attack is crafted

The target’s data is used to create a compelling story that will trick the target



The social engineer uses one of several means, such as an email, social media, or a phone call, to contact the target and establish trust


Organization Breach

With a convincing enough communication, the victim is fooled, and the attacker has gained an initial foothold and breached the organization



The hacker now has access to wreak havoc with business email compromise, ransomware, etc.

Picnic circle

Social engineers are opportunists

They care about their return on investment and go after the targets that their data engines choose as the most vulnerable and valuable. Their methods of spear phishing through social media, business email compromise and impersonation attacks – the sources of billions in annual cyber-crime – are ever-effective today. These attacks are not stopped by existing solutions because they sidestep traditional cybersecurity defenses, relying on employees’ access to systems rather than trying to break into the systems wholesale. Social engineering happens because publicly available data indicates to a bad guy that there is an economic incentive to go after a target.

Learn more about social engineering attacks

With Picnic, businesses can finally harden their ‘human data layer’

We identify vulnerabilities in an individual’s data footprint before hackers do to stop them from finding a way in.