The Other Cons
Phishing is the famous one — the fake email that pretends to be your bank. But it is only one member of a larger family. The trick underneath all of them is the same: earn a little trust, then spend it. Once you know the family, you can spot the move even when it does not arrive as a suspicious email.
That family is the social engineering you met at the start of this chapter — manipulating a person into giving up information or access, instead of breaking into a computer directly. Phishing is its most famous member. This page walks through four of its other shapes: pretexting, baiting, vishing, and tailgating.
A single picture covers most of it: someone in a uniform holding a clipboard. We tend to wave through anyone who looks like they belong — in an office hallway or in our inbox. Every con below is a different way of borrowing that "looks like they belong" feeling. We will map each one, then drop the uniform and use the real terms.
Pretexting: A Believable Story
Pretexting is inventing a story and a role that make a request seem normal. The attacker becomes "someone from IT," "a new colleague in finance," or "the delivery company confirming an address." The pretext — the invented reason — is the whole tool. It gives the request a context where handing over information feels routine.
When Olivia gets an email from a "new colleague in finance" asking her to quietly send over a payroll file before their first meeting, the story is doing the work. There is no new colleague. The role is borrowed, and the request rides along on it. Notice that a pretext can ride in by email, in person, or on the phone — it is the made-up story, not the channel.
The trap is that a good pretext is often stuffed with real, accurate details about you. Knowing your name, your manager, or where you bank does not prove someone is legitimate — those facts can be gathered first, precisely to make the story land.
Baiting: Something Too Tempting to Leave Alone
Baiting dangles something appealing that carries the attack when you take it. A "free" movie download, a prize you did not enter for, or a USB stick — a small thumb-sized storage device — left lying in a lobby. Plug that stick into a computer and it can quietly install malware, software built to harm or spy on the machine.
Baiting sounds like a trap for the greedy. It is not. The found USB stick labeled "Salaries 2026" gets plugged in out of plain curiosity, not greed. The bait is aimed at a normal human reflex — wanting to know — and that reflex is in everyone.
Vishing: The Con by Voice
Vishing is short for "voice phishing" — the same trick run over a phone call instead of an email. A live human voice does something an email cannot: it applies pressure in real time. "Your account has been compromised, I need you to confirm a code right now."
The phone adds urgency and a person you feel rude hanging up on. That combination is the point. Hearing a calm, official-sounding voice makes the request feel more trustworthy, even though a voice proves nothing about who is really calling.
Tailgating: Walking In Behind You
Tailgating leaves the screen entirely. It is following an authorized person through a door that needs a badge or a code — slipping in behind them before the door closes. Arms full of boxes, a friendly "could you hold that?", and the secured door is defeated by ordinary politeness.
No malware, no email, not a single line of code. Tailgating is the physical-world version of borrowing someone's access, and it is a reminder that social engineering is about people, not only computers.
The Thread Running Through All Four
So far: pretexting borrows a role, baiting borrows your curiosity, vishing borrows a trustworthy voice, and tailgating borrows your courtesy at a door. Different surfaces, one engine — borrowed trust. The attacker never forces anything; they arrange for you to grant it. Seeing that shared engine is what lets you recognize a con you have never met before.
- "Social engineering only happens on computers." Tailgating through a door and a convincing phone call are social engineering with no email and no malware at all. The target is the person, whatever the channel.
- "A caller who knows my details must be legitimate." Attackers gather real facts about you first, exactly so the pretext sounds convincing. Knowing your name or your bank proves nothing about who is calling.
- "Baiting only works if I'm greedy." Curiosity is enough. A USB stick labeled "Salaries" gets plugged in because people want to know what is on it, not because they are trying to get rich.
- "These are four unrelated tricks to memorize." They are four surfaces of one move: borrow trust, then spend it. Learn the move and the specific labels become easy to place.
- It stretches your pattern-recognition past the inbox, so the same trick stays visible on a phone call or at an office door.
- It names the common thread — borrowed trust — behind attacks that look completely unrelated, which is what lets you spot a brand-new variation.
- It puts physical access on the map: a door held open is a security event, not just a polite moment.
Knowledge Check
Someone calls Olivia claiming to be from her bank's fraud team, using a calm, official voice and pressing her to confirm a code immediately. Which con is this?
- Vishing
- Tailgating
- Baiting
- A malware infection
What is the single move that pretexting, baiting, vishing, and tailgating all share?
- They borrow the target's trust, then exploit it
- They all arrive as an email pretending to be someone the target already knows and trusts
- They all install malware on a device
- They only work on careless people
An attacker slips through a badge-controlled office door behind an employee carrying boxes. No computer is touched. Is this still social engineering?
- Yes — tailgating manipulates a person to gain access, no computer needed
- No — it only counts if a computer is involved
- No — this must be baiting, because the boxes the employee was carrying were surely the real lure here
- No — this is pretexting, because a story was used
You got correct