Unlike typical hacking attempts which focus on vulnerabilities in computer systems, social engineering attacks rely on deception and psychological manipulation of people. Victims hand over sensitive information or access to a system. They may not realize they've made a mistake until days, weeks, or even months later.
What Is Social Engineering?
Technology users know they should protect sensitive information from outsiders. But during a social engineering attack, they're tricked into trusting a person, entity, or piece of hardware so a hacker can exploit that trust and gain access to systems.
The word "social" refers to the human part of this attack. Humans are generally trusting, and we want others to like us. We also tend to bow to those in authority. A hacker uses these traits against us during a social engineering attack.
We'll dig into examples in a moment. But for now, let's describe the steps hackers typically follow to pull off an attack like this. Your attacker will:
- Prepare. Your hacker might look for a specific target within your organization. Or the hacker seeks out vulnerabilities in your physical office layout or digital platforms. Then, the hacker determines the best attack approach.
- Capture. The hacker launches the attack and hopes to inspire trust. The victim is pulled in, and the real danger begins.
- Complete. The hacker ends the attack and hides all the evidence.
No lights flash or bells ring when you're a victim of a social engineering attack. Instead, the hacker silently steals the data and disappears into the vapor.
8 Social Engineering Attack Examples
We've described how or why people might launch social engineering attacks. But what does one really look like, and how does it work? Let's dive into a few descriptions and real-world examples.
Your hacker sets up a false promise, and you're somehow encouraged to learn more or take advantage. When you do, the hacker launches malware that infects either your device or your company's server.
North Korean hackers used this technique against American security researchers in March of 2021. The hackers set up a website for a bogus security company. The images and ads were riddled with malware. Then, the attackers set up fake social media accounts and encouraged the researchers to buy products from the new site at discounted prices.
Physical devices, like flash drives and discs, can also be part of a baiting scam. A company might hand you a device and encourage you to plug it in to see an amazing image or install free software. But the hacker's malware runs instead.
Picture this: You're visiting a website, and a popup window appears. It reads: "Your computer is infected! Hit this button now, or you'll lose all of your data!" You've encountered scareware.
During an attack like this, intruders use fear and surprise to entice you to act without thinking too hard. Doing so could cause widespread infection. This tactic is also called:
- Deception scareware
The attack begins with a conversation that seems legitimate. The outreach comes from an address you recognize, and you act on it without thinking.
For example, an executive got an invoice. The sender's address looked just like the executive's assistant's address. So the executive paid the invoice without thinking about it. Later on, her accountant informed her that the invoice was not legitimate, and it came from an attacker.
In other versions of this attack, victims get phone calls from hackers claiming to be bankers, law enforcement officials, or other authority figures. A question-and-answer period ensues, and the victims hand over all of their personal details. Importantly, these kinds of attacks can be avoided completely if the victim were to call the supposed person back using a phone number that is taken from a trusted source.
Phishing is another common social engineering attack.
Email often kicks off the attack. The note seems official, and it might include logos and addresses from legitimate companies. Links dot the text, and tapping them allows malware to run. Hackers shorten or otherwise disguise their links, so it's difficult for victims to spot the deception.
5. Spear Phishing (Also Called Whaling)
Email kicks off this attack too. But hackers choose the recipient very carefully. They know where the victim works, what the victim does, and what words or prompts will push that person to act. The tailored messages are almost impossible to ignore.
Spear phishing attacks are deadly when they're developed properly. In fact, 95 percent of all successful attacks at the enterprise level are spear-phishing attacks.
Here's a real-world example. Hackers connected with security researchers, and they asked if these professionals could collaborate on research. When the experts agreed, hackers sent "background materials" riddled with malware links.
6. Quid Pro Quo
Attackers offer their victims solutions to a threat that doesn't exist. Victims are frightened, and they accept the help. Unfortunately, that's the point at which the attack begins.
A social engineering attack like this targets Social Security recipients. Victims get a call, and they believe they're speaking to a SSA official. The hacker tells the victim that accounts have been compromised. The victim must provide an active SSN, address, age, and other information to solve the problem.
Even the official Social Security Administration can't stop this scam.
This is an in-person form of social engineering attack. The intruder simply follows somebody that is entering a secure area. Victims believe the intruder is another authorized employee. The victim often even holds the door open for the attacker.
Once the person is inside the building, the attack continues. The intruder might steal expensive equipment, or install malicious equipment or software inside the premises. And employees may not stop it, as it seems like the attacker has a reason to be there.
8. Watering Hole
A hacker spots a legitimate website (such as a news website) and introduces some kind of ad that leads visitors to malware.
This attack is called a "watering hole," as the hacker doesn’t need to monitor it. When the tools are built, they can run independently.
How to Prevent a Social Engineering Attack
It's impossible to address every instance of human error. As long as we want to trust other people and work with them, this type of attack will continue.
But you can train your employees to:
- Research. Don't click any email message coming from a source you don't know. If the note seems suspicious, send it to IT. Don’t connect unknown hardware to company systems.
- Protect. Don't hold the door open for strangers, and lock down screens when you walk away from your desk. Don’t discard sensitive information in places where it could be easily recovered. Use multifactor authentication on any sensitive applications. Run quarterly training on Social Engineering and other forms of attack.
- Suspect. Don't click on any ads on suspicious websites, including popup ads. Check the ID of people asking you to hold the door open for them.
Administrators can lock down permissions and keep staff away from dangerous-seeming websites. Running antivirus software regularly and strengthening firewalls may help too.
Remember that offsite employees need training too. They may not be as informed of the risks as your onsite employees. And they may engage in riskier behaviors at home.
Frequently Asked Questions
Q: Is there another term for "social engineering?"
A: Yes! Some people use oversharing attack, social engineering hack, and social engineering scams to describe the threat.
Q: How often do hackers use social engineering techniques?
A: This is a very common form of hacking. People don't need strong programming skills to get started.
Q: Who is an ideal social engineering victim?
A: Hackers typically choose someone who has access to important or valuable data. Sometimes, hackers choose senior executives. But assistants may also have information or access to resources the hacker wants.
Q: Can you provide a social engineering attack example?
A: In July of 2020, hackers reached out to Twitter employees. As the attack unfolded, the employees granted access to internal company tools. Hackers then took over prime Twitter accounts, and they demanded a bitcoin ransom to release ownership.
Q: Are all social engineering attacks conducted via social media?
A: No. In fact, some of the most effective social engineering exploits are conducted in person with impersonation and persuasion. Someone with the right uniform and a bright smile could, for example, entice you to hand over your computer for "repairs."
Google: North Korean Hackers Target Security Researchers Again. (March 2021). Bleeping Computer.
Shark Tank Star Barbara Corcoran Loses $388,700 in Phishing Scam. (February 2020). CBS News.
The Most Common Social Engineering Attacks. (August 2020). InfoSec.
How to Blunt Spear Phishing Attacks. (March 2013). Networkworld.
North Korean Hackers are Targeting Security Researchers With Malware, 0-Days. (January 2021). Bleeping Computer.
Protect Yourself From Security Scams. Social Security Administration.
Remote Workers More at Risk for Social Engineered Deception and Cyberattack. (November 2020). Security.
Twitter Says 'Social Engineering' Led to the Massive Hack that Targeted High-Profile Accounts Like Barack Obama and Jeff Bezos. Here's What the Technique Involves and How to Avoid It. (July 2020). Insider.