The Call
Mike, a customer service rep, gets a phone call:
"Hi Mike, this is Dave from IT. We're seeing some unusual activity on your account and need to verify your identity before it gets locked. I just need you to confirm your password so I can check the logs."
"Oh no! Um, okay, it's MikeDog2019..."
Mike just gave his password to an attacker. The "IT person" was a social engineer using psychological manipulation.
How Social Engineering Works
Social engineers exploit human nature. They use tactics like:
Authority
"I'm from IT / I'm the CEO's assistant / I'm with security"
Urgency
"Your account will be locked in 10 minutes if we don't fix this now"
Fear
"Someone is trying to access your account right now"
Helpfulness
"I'm trying to help you before this becomes a bigger problem"
Social Proof
"I just helped your colleague Sarah with the same issue"
Reciprocity
"I stayed late to call you about this before going home"
Real-World Example: The Twitter Hack
In 2020, hackers social engineered Twitter employees over the phone, convincing them to provide access to internal tools. They then hijacked accounts of Barack Obama, Elon Musk, and others, stealing over $100,000 in Bitcoin.
Defense Strategies
Real IT staff can reset passwords without needing to know them
Hang up and call the IT help desk using the official number
Take a breath. Real emergencies can wait 5 minutes for verification
If something feels off, it probably is. It's okay to say no