Social Engineering: How It Works, Examples & Prevention
Social engineering is a type of psychological manipulation where threat actors get people to divulge sensitive secure information. An attacker uses social skills to compromise an individual or organization’s credentials for malicious purposes. Nearly all (98 percent) of cyberattacks use social engineering.
With social engineering, a bad actor cons someone into revealing private information, such as a password, banking details, Social Security number, or other personally identifiable information (PII). The attacker will often pose as a trusted entity, known person, or respectable party. They may ask targeted questions to trick the victim into giving up this information.
Social engineering schemes can have devastating consequences, ranging from financial loss and disruption of services to reputation damage and more. It is important to understand how social engineering works to protect yourself from a potential attack.
What is social engineering?
Social engineering, in the context of information security, is the manipulation of a person through human behaviors and social skills to convince them to divulge compromising information. A threat actor will often pose as someone you know or an organization that you trust and respect to convince you to divulge personal information that they can then use to gain access to your accounts, steal your money, or disrupt your services.
The weak link in cybersecurity is the human element. Attackers exploit natural human instinct, which is to trust, in order to gather the necessary information to carry out a cyberattack. Social engineering schemes can be initiated through email, phone calls, text messages, malicious websites, peer-to-peer sites, or social networking sites.
With social engineering attacks, a threat actor will often ask questions to glean information. They can seem respectable and unassuming, but if they ask the right questions and get enough information, they will be able to use this to access your accounts and potentially compromise your computer and/or organization. Social engineering schemes can also involve baiting or responding to fraudulent offers to help.
6 principles of social engineering attacks
Social engineering targets the human mind and looks for potential weaknesses instead of attacking a computer or device directly. Social engineering is a form of fraud that relies on the psychology of persuasion. Threat actors use manipulation to convince individuals to reveal personal information that they can then use to gain access to secure resources.
Social engineering relies on the following six key principles:
- Authority: The bad actor can pose as a figure in authority to convince the victim to release their credentials or gain compliance for the scheme. For example, if it appears that your boss is asking for your personal information for something, you will likely be more inclined to reveal it.
- Intimidation: A bad actor will often use threats or subtle intimidation tactics to convince the victim to act accordingly. This can include intercepting communications, manipulating them, and threatening to release them to a boss or friend to promote distrust.
- Scarcity: This capitalizes on the concept of supply and demand. The more demand there is for a product and the less supply there is, the more likely a person is to want it. Social engineering can post malicious links on websites advertising a limited quantity of something that will create a sense of urgency. The victim clicks on the bad link, enters their information, and the threat actor steals it.
- Urgency: Similar to scarcity, using the ploy that something is available for a “limited time only” is a form of time-based psychological manipulation that can convince an individual to act quickly or risk missing out.
- Consensus: As a form of social proof, people are more likely to participate in something that they see other people doing as well. This can mean that if a threat actor can convince a victim that their peers are also participating in a certain scheme, they will be more likely to be successful. Threat actors can set up fake reviews for services or products to convince people to also buy in.
- Familiarity: It is human nature to be more persuaded to engage in or buy something from someone you like or respect. Attackers can capitalize on this, and social engineering schemes often seem to come from a source that is known or respected by the victim.
Types of social engineering attacks
There is a wide range of social engineering attacks. The following are some of the most common:
- Phishing: This form of social engineering attack involves sending fraudulent emails or creating malicious websites to convince individuals to expose their private credentials. Phishing attacks continue to rise and are among the most common cyberattack vectors, with over 300,000 phishing attacks in December 2021 alone.
Phishing attacks generally seem to be coming from a reputable or trusted source, asking users to download an attachment or click on an embedded link to log in to a system, thereby unknowingly revealing their credentials to a threat actor. This often comes in the form of an email, and it can appear to be coming from a company you use and trust.
Financial institutions are commonly targeted, wherein bad actors send fraudulent emails claiming to be from your bank or credit card company. They often ask you to log in to your account.
Phishing schemes can also target current events, such as the COVID-19 pandemic, humanitarian efforts, holidays, an election, economic concerns, or a natural disaster. These emails can ask for help and convince an individual to respond with specific requested information or financial support.
- Smishing: A form of phishing attack, smishing involves the use of SMS, or text messages, to send fraudulent links or websites to entice an individual to click on and enter their credentials. An example would be a text that seems to be from your phone carrier, asking you to log in to your account via an included link for a seemingly valid reason. The link takes you to a malicious site run by a bad actor who will use this to steal your credentials.
- Vishing: Another form of phishing that involves voice communication, vishing exploits phone communications. Vishing requests that an individual call a certain number, often by pretending to be the victim’s bank, and reveal PIN numbers and passwords.
Vishing attacks can manipulate voice over internet protocol (VoIP) solutions, such as caller ID, which can easily be spoofed. Victims are likely to trust a phone service’s security, so they don’t suspect fraud.
- Spear phishing: Phishing typically involves spamming a large number of individuals and hoping to land a hit. The efforts aim to entice someone to respond with the requested information. Spear phishing, on the other hand, is a more targeted approach.
The fraudulent emails are tailored to a targeted few individuals using more detailed research of the victims. These attacks are more time-consuming for the attacker; however, they are also often more likely to be successful.
- Scareware: This is a form of malware that uses the perception of a threat and plays on the ensuing anxiety, fear, or shock of the user. Scareware often involves a pop-up ad or a spam email that tricks a user into downloading malware or visiting an infected website.
- Baiting: These schemes are found on malicious websites, social networking sites, or peer-to-peer sites, and they involve enticing users with something desirable. This can include a new movie, new music, or a hard-to-find product. The victim will take the bait, click on the malicious link or website, or attempt to purchase the product.
- Pretexting: A pretexting social engineering scheme will use a compelling story to convince a victim to offer help or respond with the requested information. These schemes can be a cry for help, often asking for money to save a friend who has been detained or worse. They can also involve humanitarian efforts, charity, fundraising, or aid for natural disasters.
These messages commonly come from sources that the user trusts and seem to be from a reputable background. They can also come from someone posing to be your employer.
Pretexting schemes may claim that you are a winner and ask you to provide your banking details, so they can give you your earnings. These schemes can be very elaborate, with messages looking like they came from your bank or institution, down to even the correct logos.
A pretexting scheme can tell you that there is a problem you need to fix by clicking on the embedded link and providing the requested information, giving the threat actor access to your PII and therefore your account and/or device.
- Tailgating: Also called piggybacking, this form of social engineering attack occurs when a person without the correct authentication or clearance follows someone who does have the proper authorized access. This can give threat actors access to physical locations that are protected, often with a smart card or token, simply by walking in behind someone who has one.
- Quid pro quo: This means “something for something.” With a quid pro quo attack, the threat actor manipulates the victim into providing sensitive information by offering something in return. This is commonly in the form of a service or profit that the threat actor promises if the victim first reveals the requested sensitive information.
Best practices for preventing social engineering attacks
To prevent social engineering attacks, it is helpful to be aware of the tactics scammers will use. Employees should undergo cybersecurity training to understand common cyberattacks and how they are initiated.
It is important to remember that nearly all cyberattacks (99 percent) rely on human input to initiate. Phishing and email scams are common methods of initiating a social engineering attack.
Here are some things to remember:
- Do not open suspicious attachments. Cybercriminals often send malware in email attachments.
- Carefully check the sender’s email address. Bad actors commonly pose as legitimate businesses or organizations, but the email address is usually off by a few characters.
- Beware of malicious websites and spoofed hyperlinks. Always type in the URL of the website directly instead of clicking on an embedded link. Also, if you hover over the hyperlink and the URL does not match the text, it could be spoofed.
- Take your time. Threat actors often try to get users to act without thinking by claiming a sense of urgency or impending threat. Slow down and review the information carefully despite any high-pressure sales tactics.
- Watch for spelling mistakes, poor grammar, and strange layouts. Legitimate businesses rarely have grammar, sentence structure, or spelling mistakes, but fraudulent emails frequently do.
- Be aware of generic greetings and/or signatures. Scammers are often spamming multiple accounts at the same time with the same message, while a legitimate message from a business or organization is more likely to greet you specifically by name and sign the email with their contact information.
- Email a company directly if you are unsure if the email is legitimate. Track down contact information for the company that you know is legitimate instead of using what a suspicious email or website may be offering.
- Beware of suspicious downloads. Be careful not to download anything you do not know for sure came from a trusted source. You can always report the message to your IT department to ensure that it is safe before downloading.
- Watch out for unsolicited emails. If you receive an email answering a question you did not ask or offering services you did not request, research this thoroughly. Do your own research, even if the information seems to come from a company you know and use.
- Know that foreign offers are fraudulent. Any offer or claim from a foreign entity is fraudulent, and you should not respond to it.
- Do not respond to emails or requests for personal information or those offering help or requesting help. These are scams looking to steal your identity and/or your money.
- Beware of suspicious phone calls or text messages. Do not click on links or call these numbers back. Verify the identity of an individual or organization before revealing any personal information.
Additionally, you should take care to protect your devices and network. Use anti-virus software, firewalls, and spam filters, and keep all of your cybersecurity features up to date. Use MFA (multi-factor authentication) to help protect your accounts, as this will require an additional authentication factor outside of a username and password, making it harder to hack.
Do not reveal sensitive information in an email or through unsecured websites. Check the URL for “HTTPS” instead of merely “HTTP” as this indicates a higher level of security.
If you believe you have been a victim of a social engineering attack, report this to your organization immediately. If you think your financial accounts have been compromised, report this to your financial institutions immediately. Change any passwords for accounts that may be compromised. If necessary, file a police report and report identity fraud to the Federal Trade Commission (FTC).
Social engineering relies on human interactions and psychological manipulation to initiate a cyberattack. Common forms of social engineering attacks include phishing, baiting, smishing, and vishing.
Social engineering attacks are commonly initiated through spam emails, phone calls, or text messages. They often ask individuals to click on an embedded link, download an attachment, or respond to the message with personal information.
These attack attempts are frequently extremely sophisticated and can appear to come from legitimate sources.
A social engineering attack is an attempt to get a user to reveal personal or confidential information that can then be used for the purposes of fraud or disruption. Bad actors can use social engineering attacks to steal credentials, hack into financial accounts to steal money, or disrupt business operations.
To protect yourself from a social engineering attack, you should remain vigilant and aware of suspicious emails, phone calls, and text messages. Do not click on suspicious links, download attachments, call phone numbers back, or respond to emails with personal information. Do your research and ensure that the message you are responding to is legitimate and vetted before interacting with it.
Social engineering attacks are one of the most common attack vectors for threat actors and can be prevented with good cyber hygiene and behaviors.
Phishing Activity Trends Report. (February 2022). APWG.
Cybersecurity: 99% of Email Attacks Rely on Users Clicking Links. (September 2019). ZDNet.
Cybersecurity for Small Businesses. Federal Trade Commission (FTC).