KC
Kapacyber
Threat Alert6 min read

Social Engineering: 5 Human Hacking Tactics Targeting Your Employees

The most sophisticated malware in the world is no match for a well-crafted phone call. Social engineering bypasses every technical control by targeting the one thing no firewall can protect: human judgement.

Kapacyber

Security Research Team

Why Human Attacks Are So Effective

Attackers follow the path of least resistance. Technical defences — firewalls, antivirus, MFA — have improved dramatically over the past decade. The path of least resistance has shifted to humans.

Verizon's annual Data Breach Investigations Report consistently finds that the majority of breaches involve a human element — whether phishing, stolen credentials, or social engineering. People are being targeted because technical barriers have made the alternative harder.

Social engineering exploits universal human tendencies: the desire to be helpful, the fear of consequences, the inclination to trust authority, and the discomfort with confrontation. These aren't character flaws — they're normal human behaviours that attackers have learned to weaponise.

The Five Tactics

Understanding how each attack works is the foundation of recognising it in real time.

01

Phishing

Email-based

An attacker sends an email impersonating a trusted party — your bank, Microsoft, a supplier, or even a colleague. The email creates urgency (your account is locked, an invoice is overdue, a package is waiting) and pushes the recipient to click a link or download an attachment.

Common variants

  • Spear phishing — highly personalised, researched, targeting a specific individual
  • Whaling — targeting executives (CEO, CFO) specifically
  • Clone phishing — an exact copy of a real email you received, with the link replaced

How to spot and stop it

Hover before clicking any link. Check the actual sender domain (not just the display name). Unexpected urgency is a red flag. When in doubt, call the sender directly using a number you already know.

02

Vishing

Phone-based

Voice phishing — a caller impersonates IT support, your bank's fraud department, the IRS, or a vendor. They create urgency ('your account shows suspicious activity') and manipulate the target into revealing credentials, transferring funds, or granting remote access to their computer.

Common variants

  • Fake IT helpdesk — calls claiming to be internal IT, asks for credentials or remote access
  • Bank fraud calls — impersonates your bank, asks you to 'verify' card details
  • Executive impersonation — calls posing as your CEO or CFO requesting an urgent wire transfer

How to spot and stop it

Legitimate IT and banks never call to ask for your password or remote access. If you receive such a call, hang up and call the organisation back on a number from their official website. Caller ID can be spoofed — a familiar number proves nothing.

03

Smishing

SMS-based

SMS phishing. Text messages have higher open rates than email, and most people are less suspicious of them. Attackers send texts impersonating delivery services, banks, or two-factor authentication systems to push recipients to click links or reply with sensitive information.

Common variants

  • Fake delivery notifications — 'your package is held, click to reschedule'
  • Bank alert texts — 'unusual activity detected, verify your identity'
  • MFA fatigue via SMS — flood the target with OTP requests hoping they'll approve one

How to spot and stop it

Never click links in unsolicited texts. Go directly to the organisation's app or website. Legitimate services will never ask for your password or OTP via text message.

04

Pretexting

Identity deception

The attacker invents a scenario (a 'pretext') to justify their request. They might pose as a new employee who needs IT help, an auditor requesting financial records, a vendor verifying account details, or a journalist researching your industry. The pretext lowers the target's guard and provides a logical reason for the unusual request.

Common variants

  • New employee pretext — 'I just started and can't access the system, can you help?'
  • Auditor pretext — 'I'm from corporate compliance, I need the accounts receivable report'
  • Vendor pretext — 'We need to update our bank account details for payment'

How to spot and stop it

Verify identity independently before fulfilling any unusual request — especially those involving data access, wire transfers, or account changes. A quick call to the person's manager or the organisation's main number can prevent costly mistakes.

05

Tailgating

Physical access

Physical social engineering. An attacker gains access to a secure area by following an authorised employee through a controlled door — often by appearing to have their hands full, wearing a uniform, or simply being friendly and confident. Once inside, they can access unlocked workstations, plug in malicious USB drives, or observe sensitive information.

Common variants

  • Classic tailgating — following someone through a badge-access door
  • Delivery impersonation — posing as a courier to gain physical access
  • USB drop attacks — leaving 'lost' USB drives in lobbies or car parks

How to spot and stop it

Every employee should feel empowered to challenge unfamiliar faces in secure areas — politely but firmly. Never plug in a USB device found outside. Visitor access should require sign-in and escort at all times.

Psychological Triggers Attackers Exploit

All social engineering attacks rely on one or more psychological levers. Training your team to recognise these is as important as knowing the attack types:

  • Authority: the request appears to come from the CEO, IT, or the government. People naturally defer to authority figures.
  • Urgency: "Act now or your account will be closed." Rushed decisions bypass careful thinking.
  • Fear: "You owe back taxes." "Your computer has a virus." Fear overrides scepticism.
  • Reciprocity: the attacker does something helpful first, then makes a request that feels hard to refuse.
  • Social proof: "Your colleague Sarah already sent us the files — can you just confirm..."
  • Liking: people comply more readily with those they like or find relatable. Attackers study their targets to build rapport.

When employees recognise these triggers in play — especially in combination — it's a strong signal to slow down and verify.

Building a Human Firewall

Technical controls address technical attacks. The defence against social engineering is a trained, vigilant team. That doesn't mean a paranoid one — it means one that knows the playbook and has clear procedures for handling suspicious situations.

Building Your Human Firewall

  • Run regular phishing simulations — tested employees catch more attacks
  • Establish a verbal verification protocol for any financial request or data access
  • Create a 'no blame' culture for reporting suspicious contacts — employees must feel safe raising concerns
  • Implement call-back verification: if someone calls asking for access, hang up and call them back on a known number
  • Brief staff on current scams — update training when new tactics emerge
  • Make it easy to report: a simple internal email or Slack channel dedicated to suspicious contacts

The Bottom Line

No technology can fully protect against an employee who has been convinced to hand over access. Social engineering remains the single most reliable attack vector because it scales, it's cheap, and it works on humans across all technical environments.

The defence is awareness, process, and culture. Employees who know the tactics, have clear verification procedures, and feel safe reporting suspicious contacts without judgement are your strongest asset. That's what security training builds — not just awareness, but the reflex to pause.

Related reading: The 3 phishing techniques targeting your employees right now and the BEC guide.

Is Your Team Trained to Spot These?

Security awareness training is included in every Kapacyber plan. Get a free assessment to see where your team stands.

Get Free Assessment
← Back to Security Insights