Social Engineering & Human Factor in Cyber Security
By Satendra Gaundar
Introduction: Our Online Dependency
The internet has become central to our daily lives. We shop, bank, socialise, and manage our homes through connected devices. During the COVID-19 pandemic, this dependency deepened dramatically as work, education, and healthcare migrated online.
Yet there is a curious disconnect in how we approach security. We lock our cars, set alarms for our homes, and secure our physical belongings without a second thought. But online security often takes a back seat — because an online threat is something we don't always consider as "danger" since it's not tangible.
What Is Social Engineering?
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. At its core, it answers a simple question: why spend months developing sophisticated hacking tools when you can simply ask people for the information you need?
The most effective security system in the world can be bypassed not by breaking the technology, but by exploiting the human operating it.
Common Social Engineering Vectors
| Vector | Description | Example |
|---|---|---|
| Phishing | Emails impersonating reputable companies or individuals | An email claiming to be from your bank asking you to verify your account |
| Spoofing | Using email addresses or caller IDs nearly identical to legitimate ones | [email protected] instead of [email protected] |
| Vishing | Voice phishing over phone calls | A caller posing as IT support asking for your password |
| Pretexting | Creating a fabricated scenario to steal information | Posing as a vendor to obtain internal documents |
| Baiting | Offering something enticing to trigger a action | A "free" USB drive left in a parking lot |
The Core Solution: Education & Awareness
While technology plays a role in defence — spam filters, endpoint protection, multi-factor authentication — the primary defence against social engineering is awareness.
Attackers constantly evolve their scenarios. The well-known "Microsoft tech support" scam has given way to more sophisticated pretexts involving cloud storage breaches, licence violations, and urgent account recovery flows. A user trained to recognise the patterns of social engineering — urgency, authority, unusual requests — is far more effective than any technical control alone.
Proposed Public Awareness Measures
-
In-device Education — Just as health warnings appear on product packaging, cybersecurity awareness materials could be included inside new devices. When you unbox a laptop, a card explaining phishing risks could be as standard as a safety manual.
-
OS-Integrated Training — Microsoft, Apple, and Google have the reach to embed basic security awareness into their operating systems, with regular bite-sized updates — similar to how software updates are prompted.
-
Free Public Training — Non-technical, accessible online training should be available to the general public. Not everyone needs to understand encryption, but everyone should recognise a phishing email.
-
Parent-Led Education — Parents should use these same tools and conversations to teach children about internet safety from an early age, building a generation that is security-conscious by habit.
A Call to Action
Social engineering is not a problem that can be solved with a single software patch or hardware upgrade. It requires a cultural shift in how we think about online interactions.
Talk about social engineering in everyday conversations — over coffee, at a BBQ, in team meetings. The more we normalise security awareness as part of daily life, the harder we make it for attackers to exploit the human factor.
"The most expensive firewall in the world can't stop an employee from clicking 'Accept' on the wrong dialog box."
Be vigilant. Verify before you trust. And remember: in cybersecurity, the human is both the weakest link and the strongest defence.