Phishing and Social Engineering

You can lock a house with the strongest deadbolt money can buy — but if a stranger knocks, says "I'm here to read the meter," and you simply open the door, the lock never mattered. Attackers know this. Instead of fighting a computer's defences, they often go after the easiest way in: the person using it.

Social engineering is the art of tricking people — not machines — into giving away information or access they shouldn't. There's no clever hacking of code; the attacker manipulates human feelings like trust, fear, curiosity or the wish to be helpful. Security experts call the alert, sceptical human being the "human firewall", because in the end a person is the last line of defence — and often the first thing an attacker tries to get past.

Phishing: the everyday attack

By far the most common form of social engineering is phishing: sending fake emails, texts or setting up fake websites that pretend to be a trusted organisation — your bank, a delivery company, a games platform, your school — to fool you into handing over passwords, card details or other secrets. The word is a play on "fishing": the attacker dangles convincing bait and waits for someone to bite.

A phishing email usually pushes you to click a link that leads to a counterfeit login page. It looks just like the real site, but anything you type goes straight to the attacker. You think you've logged in; in reality you've just handed over your username and password.

Sometimes attackers do. Ordinary phishing is like casting a huge net — the same message blasted to millions, hoping a few bite. Spear phishing is aimed at one person, using real details (your name, your manager, a project you're working on) to seem far more believable. When the target is a rich or powerful individual — a chief executive, say — it even has a name: whaling. The more personal the bait, the harder it is to spot.

Spot the fake: tell-tale signs

Real phishing messages leak clues. Below is a fake email pretending to be from a bank. Step through the figure to reveal the warning signs — then you'll be able to spot them in the wild.

The classic warning signs, in one list:

What to do about it

Spotting a phish is only half the job — knowing how to respond is the other half:

Social engineering attacks people, not software. The very best antivirus, firewall and encryption in the world will not save you if a human is simply persuaded to hand over a password or click a malicious link — the attacker walks straight through the front door you opened for them. That's why technology alone is never enough. When a message pressures you to act right now, that urgency is itself the red flag: slow down, stop, and verify through a channel you trust before you do anything.

Beyond the inbox: other tricks

Phishing lives on screens, but social engineers use plenty of low-tech tactics too. They all rely on exploiting human nature rather than breaking software:

Constantly. Many of the biggest data breaches in history didn't start with genius code-breaking — they started with one convincing email or phone call to one employee. Attackers have posed as bosses to trick finance staff into wiring huge sums, and as help-desk workers to reset the passwords of people who never questioned the friendly voice. It's a sobering reminder that the cheapest, most reliable "hacking tool" is a good story told to a trusting human.