Hollywood has got hackers all wrong. They are portrayed as lonely souls in dark rooms with only a pizza deliveryman for social interaction, who type away at their computers, incredibly quickly, until some remote system yields to their persistence and offers up access.

The problem with this image is that real world hackers will always look for weak points in a target system and while, of course, computers have their vulnerabilities, the achilles' heel can often be the user. Some hackers, therefore, have good communication skills ready to play tricks on the unwitting. They call it "social engineering".

This week sees the world's most famous hacker, Kevin Mitnick, freed from his bail conditions. He has spent the past seven years in techno exile, imprisoned for five years and then forbidden from touching a computer for a further two.

But Mitnick's talents were never just about computers. Testifying before the US Congress in 2000 and talking about social engineering, he said: "I was so successful in that line of attack that I rarely had to resort to a technical attack."

His recent book, The Art of Deception, catalogues a whole spectrum of scams where naive employees are duped into revealing information about their computer system to an unidentified voice on the phone. In one story, Mitnick persuades Motorola employees that he, too, is an employee, and they send him any information he wants; no computer hacking needed.

"Social engineering is any attack that involves deception," says Thomas C Greene, security columnist at The Register e-zine. "It's just a technological confidence trick. Calling someone and saying you are the systems administrator and you need them to reset their password is a classic one."

Times are changing, and so new opportunities arise for social engineering attacks. Bruce Schneier, co-founder of Counterpane Internet Security Inc, recognises that humans have always and will always try con tricks but, he says: "We are starting to see more automated social engineering attacks. That, I think, is pretty interesting."

Examples of this include the fake eBay site that was launched last month. The shadow site replicated the real eBay.com site - but it was registered to two men in Lithuania.

These, one assumes, would be the people who received your credit card, bank account, drivers' licence and social security numbers were you to follow the instructions and submit them.

Even virus writers are taking up the mantle. The LoveLetter virus would arrive in your inbox with an attachment called "LOVE-LETTER-FOR-YOU". Despite regular warnings about the possible nefarious content of attachments, people could not resist clicking to see why they were so loved, and infected themselves in the process.

Comical extensions to this are the email virus hoaxes such as SULFNBK. This message had no malicious payload but played on users' lack of knowledge about their system. The message warned that if the user had the SULFNBK file on their system, then they should delete it because it was a virus.

The file existed all right -but was just part of Windows. Nevertheless, people happily deleted it and then passed the message on to all their friends; it was a perfect social engineering ruse.

But users will be users and making them aware that people like to play such tricks is an uphill battle. "Any competent security manager has known this for ages," says Greene, "but they have a hard time persuading rank and file employees."

For this reason, security companies have considered other ways that they might protect their customers' precious data. Schneier's company, for instance, used to be a consultancy, analysing and designing solutions for security problems, but even the most elegantly crafted systems were still being broken in the real world.

"If I sell you a door lock that keeps your house secure and someone knocks at your door and says 'please let me in, I'm a policeman' and then they rob your house, it's not the lock's fault," he explains.

For reasons like this, he decided that security was more about risk management than building impenetrable defences. So he changed his company to provide network security monitoring.

And he has caught social engineers. "When you are an alarm company, you don't have to detect the point of entry to detect malicious behaviour," he says. "It is the only technical solution to the problem."

Kevin Mitnick will now be enjoying his first surfs on the internet. It has changed immeasurably from the one that got him in trouble seven years ago. He claims that his hacking days are over - a life of consultancy and conference talks awaits him. But at some point, someone like him will come along with new con tricks. Human fallibility will always be too attractive for hackers to resist.