Social engineering

Social engineering exploits human psychology—trust, urgency, fear—to manipulate individuals into divulging confidential information or performing unauthorized actions. Besides phishing, social engineering includes phone scams (vishing), pretexting (inventing scenarios), baiting (tempting with freebies), and tailgating (physical entry by following someone).

How does it affect identity security?
No matter how robust the technical measures, a cleverly engineered ruse can convince a user to reveal credentials or override security protocols. Social engineers often impersonate IT support or executives to request password resets or confidential data. Defending identity requires user awareness training, strict verification policies, and layered controls so even if one user is deceived, the damage is contained. Many high-profile breaches (Twitter 2020, Ubiquiti 2021) started with social engineering employees.

In cloud contexts, attackers might impersonate cloud provider support or trick employees into accepting unauthorized OAuth consent, granting token-based access. Zero trust architecture helps mitigate social engineering by removing implicit trust. For instance, even if a user is convinced to “approve” something, further conditional checks (like device posture) can intervene. Continuous auditing of user privileges can also detect suspicious escalations spurred by social engineering. Security teams train employees not to share MFA codes or client secrets under any circumstances.

Case study

Attackers called Twitter staff, posing as IT, and convinced them to give up credentials. They took over high-profile accounts (e.g., Elon Musk) to post cryptocurrency scams.

‍