Social Engineering: How It Works, Examples & Prevention

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.

Social engineering is a type of psychological manipulation where threat actors get people to divulge sensitive secure information. An attacker uses social skills to compromise an individual or organisation’s credentials for malicious purposes. Nearly all (98 per cent) of cyberattacks use social engineering. 

With social engineering, a bad actor cons someone into revealing private information, such as a password, banking details, Social Security number, or other personally identifiable information (PII). The attacker will often pose as a trusted entity, known person, or respectable party. They may ask targeted questions to trick the victim into giving up this information. 

Social engineering schemes can have devastating consequences, ranging from financial loss and disruption of services to reputation damage and more. It is important to understand how social engineering works to protect yourself from a potential attack. 

What is social engineering?

Social engineering, in the context of information security, is the manipulation of a person through human behaviours and social skills to convince them to divulge compromising information. A threat actor will often pose as someone you know or an organisation that you trust and respect to convince you to divulge personal information that they can then use to gain access to your accounts, steal your money, or disrupt your services. 

The weak link in cybersecurity is the human element. Attackers exploit natural human instinct, which is to trust, in order to gather the necessary information to carry out a cyberattack. Social engineering schemes can be initiated through email, phone calls, text messages, malicious websites, peer-to-peer sites, or social networking sites.  

With social engineering attacks, a threat actor will often ask questions to glean information. They can seem respectable and unassuming, but if they ask the right questions and get enough information, they will be able to use this to access your accounts and potentially compromise your computer and/or organisation. Social engineering schemes can also involve baiting or responding to fraudulent offers to help. 

6 principles of social engineering attacks

Social engineering targets the human mind and looks for potential weaknesses instead of attacking a computer or device directly. Social engineering is a form of fraud that relies on the psychology of persuasion. Threat actors use manipulation to convince individuals to reveal personal information that they can then use to gain access to secure resources. 

Social engineering relies on the following six key principles:

  1. Authority: The bad actor can pose as a figure in authority to convince the victim to release their credentials or gain compliance for the scheme. For example, if it appears that your boss is asking for your personal information for something, you will likely be more inclined to reveal it.
  2. Intimidation: A bad actor will often use threats or subtle intimidation tactics to convince the victim to act accordingly. This can include intercepting communications, manipulating them, and threatening to release them to a boss or friend to promote distrust.
  3. Scarcity: This capitalises on the concept of supply and demand. The more demand there is for a product and the less supply there is, the more likely a person is to want it. Social engineering can post malicious links on websites advertising a limited quantity of something that will create a sense of urgency. The victim clicks on the bad link, enters their information, and the threat actor steals it.
  4. Urgency: Similar to scarcity, using the ploy that something is available for a “limited time only” is a form of time-based psychological manipulation that can convince an individual to act quickly or risk missing out.
  5. Consensus: As a form of social proof, people are more likely to participate in something that they see other people doing as well. This can mean that if a threat actor can convince a victim that their peers are also participating in a certain scheme, they will be more likely to be successful. Threat actors can set up fake reviews for services or products to convince people to also buy in.
  6. Familiarity: It is human nature to be more persuaded to engage in or buy something from someone you like or respect. Attackers can capitalise on this, and social engineering schemes often seem to come from a source that is known or respected by the victim.

Types of social engineering attacks

There is a wide range of social engineering attacks. The following are some of the most common:

  • Phishing: This form of social engineering attack involves sending fraudulent emails or creating malicious websites to convince individuals to expose their private credentials. Phishing attacks continue to rise and are among the most common cyberattack vectors, with over 300,000 phishing attacks in December 2021 alone.

Phishing attacks generally seem to be coming from a reputable or trusted source, asking users to download an attachment or click on an embedded link to log in t