Social Engineering
Lexicon Core Definition
Social engineering is the psychological manipulation of people into divulging confidential information or performing actions that compromise security by exploiting human psychology—trust, authority, urgency, and fear—rather than technical vulnerabilities.
Analysis Breakdown
Frequent Queries
How can I tell if someone contacting me about my cryptocurrency is legitimate?
Never trust contact at face value—always verify independently. If someone claims to be from an exchange, wallet provider, or crypto service, do not use contact information they provide or links they send. Instead, independently navigate to the organization's official website using a bookmark or manually typing the URL, then contact them through verified support channels to ask if the communication is legitimate. Legitimate organizations will never be offended by verification requests. Look for red flags: requests for private keys or seed phrases (never legitimate), urgency claiming immediate action is required, unsolicited contact about unreported problems, offers requiring quick decisions, or requests to move funds to secure locations. The only reliable verification is independently contacting the organization through separately confirmed official channels.
What should I do if I realize I've been socially engineered and shared sensitive information?
Act immediately to minimize damage. If you shared a password, immediately change it using verified legitimate account access. If you shared exchange credentials, log in through your verified bookmark, change your password, enable two-factor authentication, and check transaction history for unauthorized activity. If you shared a private key or seed phrase, this is critical: immediately transfer all funds from that wallet to a completely new wallet with a newly generated seed phrase. Never reuse compromised credentials. Document everything about the incident. Report it to the legitimate organization that was impersonated. Consider reporting to law enforcement if substantial funds are involved. Review your security practices to prevent future attacks. Time is critical—attackers often move quickly once they have credentials.
Why do people fall for social engineering even when they know about these attacks?
Social engineering succeeds because it exploits fundamental human psychology that exists even when we're intellectually aware of the risk. Attackers create emotionally charged situations that trigger automatic responses before rational analysis occurs—fear activates urgency, authority triggers compliance, reciprocity creates obligation, and excitement overrides caution. These psychological responses are hardwired and difficult to consciously override. Additionally, attacks are often highly personalized using information from social media, making them feel specifically targeted. Attackers invest time building relationships and trust. Cognitive biases also play a role: confirmation bias makes us seek information confirming what we want to believe, and optimism bias makes us think it won't happen to us. Effective defense requires not just knowledge but practiced behavioral security—establishing absolute rules you never violate.
Calibration Check
Only naive or technically unsophisticated people fall for social engineering
Social engineering successfully targets everyone including security professionals, executives, and technically sophisticated users. Attackers don't rely on technical ignorance but on exploiting universal human psychology—trust, authority, urgency, fear, and helpfulness. In fact, technically knowledgeable users may be more vulnerable to sophisticated social engineering because they're confident in their ability to identify threats and may not recognize psychological manipulation. Some of the most devastating security breaches have occurred because highly skilled professionals were socially engineered into compromising security measures they technically understood perfectly. Effective defense requires recognizing that social engineering targets human psychology, which everyone possesses, not technical knowledge. Humility about psychological vulnerability is more protective than confidence in technical knowledge.
If someone has official-looking credentials or seems to know details about my account, they must be legitimate
Attackers routinely fake credentials, impersonate officials, and research targets to gather information that makes them appear legitimate. Official-looking emails can be perfectly duplicated, caller ID can be spoofed, social media accounts can look identical to legitimate ones, and website verification badges can be faked. Information about your account may come from data breaches, public social media posts, or previous social engineering attempts. Some attackers spend weeks or months building credibility before attempting their actual attack. The appearance of legitimacy means nothing—verification through independently confirmed channels is the only reliable authentication. Never trust apparent authority, credentials, or insider knowledge as proof of legitimacy. Always verify independently by contacting the organization through separately confirmed official channels.
Social engineering only happens through direct contact like phone calls or emails
Social engineering occurs through every communication channel: emails, phone calls, text messages, social media direct messages, forum private messages, dating apps, professional networking sites, video calls, and in-person interactions. Some social engineering is indirect—attackers may post fake information on forums hoping targets will act on it without direct contact. Romance scams develop over weeks through dating apps. Fake job opportunities come through professional networks. Investment scams build credibility through content creation. Community infiltration involves becoming a trusted member of cryptocurrency forums or Discord servers before privately targeting individuals. Attackers use whatever communication channel will be most effective—the medium is simply a tool for psychological manipulation. Protection requires maintaining security awareness across all communication channels and never assuming any particular medium is inherently safe.