Social engineering: why attackers go after your people, not your firewall
Most break-ins don't start with clever code. They start with a convincing message that gets a real person to open the door. That is social engineering, and understanding it is half the defense.
When people picture a cyberattack, they picture code: someone in a hoodie breaking through a firewall. The reality is far more ordinary. Most attacks start with a message that convinces a real person to do something they shouldn't — click a link, approve a payment, hand over a password. The technical term is social engineering, and it is the single most common way small businesses get breached.
Hacking the person, not the system
Software has gotten harder to break into. Operating systems patch themselves, email filters catch known threats, and multi-factor authentication blocks stolen passwords. So attackers went around the technology and aimed at the part that hasn't changed in thousands of years: human judgment under pressure.
Social engineering is just manipulation with a goal. The attacker doesn't need to defeat your security if they can convince someone with access to defeat it for them. An employee who forwards a file, an owner who approves a wire transfer, a bookkeeper who updates a supplier's bank details — each one is a door, and the attacker's whole job is getting that person to open it willingly.
The levers they pull
Almost every social-engineering attack leans on the same handful of human instincts. Once you can name them, you start spotting them.
- Authority. A message that appears to come from the boss, the bank, or "IT" carries built-in pressure to comply. We're trained not to question authority.
- Urgency. "The account will be suspended in one hour." "The payment has to go out before close of business." Urgency is designed to stop you from pausing — because pausing is exactly when people notice something is off.
- Trust and familiarity. A message that uses a real name, a real logo, or references a real project feels legitimate. Attackers research their targets precisely so they can borrow that familiarity.
- Helpfulness. Most people want to be useful. "Can you quickly send me the staff list?" works because saying no feels rude.
- Fear. A fake security alert or a threat of consequences pushes people to act first and think later.
None of these are weaknesses in your team. They're normal, healthy human traits. The attacker's skill is in turning them against the moment.
What it looks like in a small business
Social engineering wears many outfits. A phishing email pretending to be a Microsoft login page. A phone call from "your bank's fraud department." A text with a delivery-tracking link. A LinkedIn message from a fake recruiter. A new "supplier" who emails to update their payment details right before an invoice is due.
The common thread is never the technology — it's the request. Someone wants you to act, and they want you to act now, on their channel, without checking. That request is the whole attack.
The defense is a habit, not a tool
You cannot patch a human, but you can give your team a simple reflex: when a message asks you to move money, change credentials, or share sensitive information, slow down and verify on a channel you already trust. If "the CEO" emails asking for a wire transfer, call the CEO on their known number. If "the bank" calls, hang up and dial the number on your card. Verifying takes thirty seconds and breaks nearly every social-engineering attack, because the attacker can only control the channel they reached you on.
Make it safe for people to check and even to be wrong. The businesses that get burned are usually the ones where an employee suspected something but didn't want to look paranoid or slow.
Technology still matters, because it limits the damage when a trick does land. Tenant Strike checks the Microsoft 365 settings that decide how far a successful con can spread — whether multi-factor authentication is truly required, whether sneaky inbox-forwarding rules are possible, whether a single approval can hand over too much. It reads your settings in five minutes and shows, in plain English, where a moment of misplaced trust would cost you the most.
AI-researched from public sources. We label AI-assisted writing — see our trust page.
See your own risk
Want this for your own Microsoft cloud?
Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.