Prompt Injection Is the “Social Engineering” of AI Apps

When people think about AI security, they often jump straight to jailbreaks, model theft, or hallucinations. But the risk that keeps showing up in real systems is more familiar than that. It looks like social engineering. Prompt injection happens when an LLM-based app can be steered by instructions hidden inside content it’s asked to read—an email, a web page, a PDF, a shared doc, a ticket, a calendar invite. If your app treats that content as “instructions” instead of “data,” it becomes surprisingly easy to hijack behavior. This matters a lot more once you move beyond a simple chatbot. The moment an AI system can browse, retrieve documents, call tools, or take actions, a prompt injection isn’t just “a weird answer.” It can turn into a workflow problem: the agent gets nudged into doing the wrong thing, skipping safety steps, or exposing information it shouldn’t. Direct vs. indirect prompt injection Most people have seen the obvious version: a user types something like “ignore previous