10 Types of Social Engineering Attacks: The Complete 2026 Guide

The 10 Types of Social Engineering Attacks

1. Phishing

Phishing is mass-volume deceptive email designed to trick recipients into clicking malicious links, opening infected attachments, or entering credentials into fake login pages. Despite being the most familiar social engineering technique, phishing remains the most common initial access vector for cyberattacks because volume compensates for low individual success rates. A phishing campaign sent to 10,000 employees needs only a 0.1% success rate to compromise 10 accounts.

2. Spear Phishing

Spear phishing is targeted phishing crafted for specific named individuals using personal information gathered from LinkedIn, breach databases, company websites, and social media. A spear phishing email to a CFO that references a specific acquisition, uses internal terminology, and appears to originate from the CEO's actual email domain is a precision instrument. AI-generated spear phishing content has dramatically raised the quality ceiling, eliminating the grammatical and stylistic errors that once served as reliable indicators.

3. Vishing (Voice Phishing)

Vishing uses phone calls to manipulate victims into providing credentials, MFA codes, or sensitive information. The MGM Resorts breach began with a vishing call to the corporate help desk. Scattered Spider obtained an MFA reset by impersonating an IT administrator, using personal information from breach databases to pass basic identity verification. AI voice cloning — capable of producing a convincing replica of a specific person's voice from 30 seconds of audio — has made vishing dramatically more sophisticated and harder to detect.

4. Smishing (SMS Phishing)

Smishing delivers phishing attacks via SMS. Mobile users are statistically more likely to click links in text messages than in email — mobile security awareness is lower, mobile devices are more personal, and text messages carry implied urgency. Smishing campaigns impersonating delivery notifications, banking alerts, and MFA verification requests are among the most effective mass-volume attack vectors.

5. Pretexting

Pretexting involves creating a fabricated scenario — a pretext — to manipulate a victim into providing information or access. An attacker who calls an employee pretending to be an IT auditor conducting a compliance review, an HR administrator processing payroll information, or a vendor representative needing system access is using pretexting. The scenario is false; the victim's response to a seemingly legitimate authority figure is predictably cooperative.

6. Baiting

Baiting exploits curiosity or greed by offering something desirable — a USB drive found in a parking lot, a free software download, an enticing offer — that delivers malware when the victim interacts with it. USB baiting — leaving malware-laden drives in locations where target organization employees will find them — has a documented success rate that consistently surprises security teams when tested in controlled exercises.

7. Quid Pro Quo Attacks

Quid pro quo attacks offer a service in exchange for information. An attacker posing as IT support who calls employees offering to help fix a problem they invented — and asking for credentials or remote access to "resolve" it — is executing a quid pro quo attack. The victim receives apparent help; the attacker receives access.

8. Tailgating and Piggybacking

Physical social engineering — gaining unauthorized physical access to secured facilities by following authorized personnel through access-controlled entry points — is a consistently underestimated attack vector in cyber risk assessments that focus exclusively on digital threats. Physical access to an unattended workstation, a server room, or a network closet provides attack opportunities that bypass all digital security controls.

9. Watering Hole Attacks

Watering hole attacks compromise websites that specific target individuals or organizations are known to visit — trade association sites, industry news sources, specialized forums. When a target employee visits the compromised site, malware is delivered to their browser. The technique is associated primarily with nation-state actors who invest in reconnaissance to identify trusted sites for their specific targets.

10. Deepfake and AI-Enhanced Social Engineering

Deepfake video and audio attacks represent the emerging frontier of social engineering. A documented 2024 case involved a finance employee at a multinational firm who was manipulated into transferring $25 million after a video call with what appeared to be the company's CFO — who was, in reality, an AI-generated deepfake. As deepfake quality and accessibility improve, the attack surface for executive impersonation, board-level fraud, and authentication bypass through video verification expands significantly.

Why Social Engineering Succeeds: The Psychological Foundation

Social engineering exploits predictable patterns of human psychology rather than technical vulnerabilities. Authority bias causes people to comply with requests from apparent authority figures — managers, IT administrators, executives, auditors — without fully evaluating the legitimacy of the request. Urgency reduces deliberation — an attacker who creates time pressure pushes victims to act before evaluating carefully. Social proof — the implicit suggestion that other people have already done something — reduces resistance. And reciprocity — the instinct to return favors — makes the quid pro quo attack reliably effective.

Defending Against Social Engineering: What Actually Works

Security awareness training is the most commonly deployed defense against social engineering and the least effective when deployed as a compliance exercise. Annual training that presents phishing examples and asks employees to identify red flags produces knowledge that is quickly forgotten and applied inconsistently under the cognitive load of normal work. Training that uses realistic simulations — phishing exercises, vishing tests, physical tailgating assessments — with immediate feedback and reinforcement produces more durable behavioral change.

But awareness training cannot be the primary defense against social engineering, because social engineering is specifically designed to succeed against aware people. The MGM help desk employees who facilitated the breach were not unaware of social engineering — they were operating according to verification procedures that were insufficient against a well-prepared attacker with breach database access. The design of verification processes is more important than the awareness of the people executing them.

Process design — specifically, identity verification procedures for high-risk help desk actions — is the control that most directly addresses social engineering risk. Eliminating knowledge factors (date of birth, SSN digits, employee ID) from MFA reset verification — because these are available in breach databases — and requiring cryptographic proof, hardware token confirmation, or manager callback through a known-good channel addresses the specific verification gap that Scattered Spider exploited across multiple organizations.

For PE operating partners, social engineering assessment requires testing rather than documentation review. A help desk vishing simulation — a controlled test of how help desk staff respond to social engineering calls — produces findings that policy documents cannot. If the answer to "what would happen if someone called your help desk pretending to be the CFO and asked for an MFA reset?" is unclear, the organization has an untested and potentially exploitable control gap.