← Back to BlogSocial Engineering

How Social Engineering Works (And Why Smart People Fall for It)

How Social Engineering Works (And Why Smart People Fall for It)

Here's a comforting lie: "Only gullible people fall for scams." And here's the uncomfortable truth: social engineering has successfully tricked lawyers, IT professionals, bank managers, and even cybersecurity researchers. Intelligence has very little to do with it.

So why do smart people fall for it?

What is social engineering?

Social engineering is the art of manipulating people into doing something — sharing information, making a payment, granting access — by exploiting psychological vulnerabilities rather than technical ones.

It doesn't hack your computer. It hacks you.

The techniques are drawn directly from psychology: authority, urgency, social proof, reciprocity, liking, and scarcity. These are the same tools used by salespeople, negotiators, and (yes) good marketers. Scammers just use them to steal things.

The six weapons of social engineering:

1. Authority — "This is the ATO calling." "I'm from head office." "This is your bank's fraud department." We're conditioned to comply with authority figures. Scammers exploit this by impersonating anyone with perceived power.

2. Urgency — "Act now or your account will be closed." Urgency disables careful thinking. The more pressure you feel to respond immediately, the less time you spend questioning whether the request is legitimate.

3. Social proof — "All your colleagues have already submitted their credentials." "Other employees have verified this." We look to others for cues on how to behave. If "everyone else" is doing it, it seems safe.

4. Reciprocity — "I've done this favour for you, now I need you to do something for me." A small act of helpfulness creates a sense of obligation that scammers exploit.

5. Liking — We're more likely to comply with requests from people we like or who seem like us. Scammers build rapport quickly, mirroring your language and interests, before making their ask.

6. Scarcity — "This offer expires in 10 minutes." Scarcity triggers action. It short-circuits our tendency to pause and think.

Why smart people fall for it:

Because these techniques bypass logic. They operate at the emotional and instinctive level of decision-making. A lawyer who'd meticulously review a contract can still be panicked into clicking a link by a well-crafted "your account is suspended" email — because the panic response doesn't wait for the rational mind to catch up.

How to defend against it:

  1. Recognise the triggers. When you feel sudden pressure, authority, or urgency — pause. That feeling is the technique working on you.
  1. Slow down. Most social engineering attacks require immediate action. Slowing down breaks the spell.
  1. Verify through a different channel. Not the phone number or email in the message — an independent one.
  1. Build a "suspicious by default" culture at work. Not paranoid, just appropriately sceptical of unusual requests.

Test your resistance to social engineering at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →