What is social engineering? It is a form of cyberattack that involves using psychological manipulation and deception to forge relationships, exploit trust, and gain access to data or information. The goal of social engineering is to trick people into divulging sensitive information, such as passwords and network details, by making them believe they are interacting with someone they trust. Security analysts have confirmed that more than 70% of cyberattacks that take place on the internet on an annual basis are social engineering attacks.
In some cases, social engineers will also attempt to get you to download malware — software that can be used for malicious purposes — onto your computer without you noticing.
Key Takeaways
- Social engineering uses psychological manipulation and exploits trust, rather than technical hacking, to deceive victims into revealing sensitive information or performing actions.
- Common attack vectors include phishing (email), vishing (voice calls), smishing (SMS), baiting (lures), and pretexting (creating false scenarios).
- Phishing is the most prevalent form, often involving emails disguised as legitimate communications to steal credentials or deliver malware.
- Be cautious of unsolicited requests for personal information, urgent demands, offers that seem too good to be true, and verify the identity of the requester through separate channels.
- Protect yourself through a combination of technical measures like multi-factor authentication and email authentication (DMARC, SPF, DKIM), and behavioral practices like user awareness training and strong password hygiene.
What is Social Engineering: Definition
Social engineering is the act of manipulating people into performing actions or divulging confidential information, often by exploiting psychological triggers like trust, curiosity, or helpfulness. It’s a form of hacking, but instead of technically breaking into computers, social engineers try to gain access to them by tricking employees into giving up information or downloading malware. A social engineer can make you an unwitting accomplice by using high-level manipulation to get whatever the attacker wants.
Protect Against Social Engineering with PowerDMARC!
Techniques of Social Engineering: How Does Social Engineering Work?
Social engineers use many different tactics and channels to achieve their goals. The attacker might lure you into a conversation that becomes more of an interrogation. Common methods include:
- Impersonation via Various Channels: Social engineering may be carried out over the phone (vishing), via email (phishing), or via text messages (smishing). A social engineer may call a company and ask for access to a restricted area, or they may impersonate someone trustworthy (like IT support, a colleague, or even law enforcement) to get someone else to open an email account, provide credentials, or grant access on their behalf.
- Help Desk/Support Scams: Attackers may claim that they are calling from a company’s help desk and request remote access so they can fix something on your computer or network. Or they might claim that they need your password or other personal information such as bank credentials so they can resolve an issue with your bank account.
- Pretexting: This involves creating a fabricated scenario or story (a pretext) to gain the victim’s trust and persuade them to divulge information or perform an action. For example, an attacker might impersonate a customer or employee and weave a hypothetical story to justify their need for sensitive company information, often carried out via phone calls.
- Baiting: Attackers lure victims with enticing offers, like free downloads, prizes, or appealing advertisements (“Earn $1000 per hour!”). Clicking on these baits often leads to malicious websites or initiates malware downloads. If an offer seems too good to be true, it probably is.
- Tailgating/Piggybacking: An attacker follows an authorized person into a restricted physical area without proper credentials.
- Shoulder Surfing: Observing someone from nearby (e.g., looking over their shoulder) to steal confidential information like passwords or PINs as they are entered.
- Romance Scams: Attackers adopt fake online identities to build romantic relationships with victims, gaining their trust before manipulating or stealing from them. These scams can be financially devastating.
- Law Enforcement Impersonation: In some cases, social engineers will even pretend to be law enforcement officers and threaten legal action if you refuse to comply with their demands for information. While it’s important for businesses to take these threats seriously, remember that legitimate authorities will typically not ask for passwords or sensitive financial details over the phone or email!
Purpose of Social Engineering
Social engineering is often used in phishing attacks, which are emails that appear to be from a trusted source but are actually aimed at stealing your personal information or deploying malware. The emails usually contain an attachment with malicious software (often called malware) or links to malicious websites that will infect your computer if opened or clicked.
The goal of social engineering is always the same: getting access to something valuable without having to work for it (from a technical hacking perspective). Common objectives include:
1. Stealing sensitive information
Social engineers may try to trick you into giving up your password and login credentials (such as your username/email address) so they can access your email account or social media profile where they can steal personal information like credit card numbers and bank account info from previous transactions. They might also target company secrets, customer data, or intellectual property. You might know how to sell on Instagram, but are you equipped with enough knowledge to protect your small business and account from social engineers?
2. Identity theft
They could also use this information to assume the victim’s identity and carry out malicious activities posing to be them down the line, such as applying for credit in the victim’s name, making fraudulent purchases, or accessing other accounts.
3. Financial Fraud
Attackers aim to directly steal money, often through scams involving fake invoices (like the one that cost Barbara Corcoran nearly $400,000), wire transfer requests (CEO fraud), fake prize winnings requiring upfront payment, or gaining access to bank accounts.
4. Gaining Unauthorized Access
The goal might be to gain access to a restricted network, system, or physical location to conduct further attacks, espionage, or sabotage.
Learn why cyberattackers commonly use social engineering.
How to identify a Social Engineering Attack?
1. Trust your gut
If you receive any emails, messages, or phone calls that sound suspicious, create a sense of urgency, or feel ‘off’, don’t give out any information or take immediate action. Verify the request through a separate, trusted communication channel (e.g., call your company’s official number directly, check with the person supposedly sending the request via a known contact method).
2. Don’t submit your personal information readily
Be extremely cautious if someone asks for your Social Security number, passwords, financial details, or other private information, especially if unsolicited. Legitimate organizations rarely ask for sensitive data via email or phone. It’s advised not to give out any information unless it’s absolutely necessary and you have verified the legitimacy of the request and the requester’s identity.
3. Unusual Requests Without Context or Verification
Social engineers often make unusual or large requests (like wire transfers, access permissions, sensitive data) without providing proper context or following established procedures. If someone asks for money or other resources without explaining why they need it convincingly or if the request seems out of character or bypasses normal channels, there’s probably something fishy going on. Always verify such requests through official channels before complying.
4. Check Sender Details and Links
In emails, carefully examine the ‘From’ address and ‘Return-Path’ address; attackers often use addresses that are slightly misspelled or look similar to legitimate ones (domain spoofing). Hover over links before clicking to see the actual destination URL; beware if it looks suspicious or doesn’t match the expected website. Be cautious of emails with generic greetings, poor grammar, or spelling errors.
5. Beware of Tempting Offers and Urgency
Be skeptical of offers that seem too good to be true (e.g., winning a lottery you didn’t enter, huge discounts from unknown sources) or messages that create a strong sense of urgency or fear (e.g., “Your account will be closed unless you act now”). These are common manipulation tactics.
Here are some specific examples of potentially suspicious situations:
- Receiving an email from someone who claims to be from your IT department asking you to reset your password via a link or provide it in an email or text message.
- Receiving an unsolicited email or call from someone claiming to be from your bank asking for personal information, such as your account number, PIN code, or password. Remember, your bank will almost never ask for this information this way.
- Being asked for sensitive information about the company (e.g., employee details, financial data) by someone claiming to be from the company’s HR department or a senior executive, especially if the request seems unusual or urgent.
- Seeing online ads or receiving messages offering unrealistic rewards or deals that require clicking a link or providing personal information.
Email-based Social Engineering Attacks
Email remains a primary channel for social engineering. Common types include:
Phishing emails – These look like they’re from a legitimate source (banks, popular services, government agencies) but are actually trying to trick you into opening a malicious attachment, visiting a fake login page to steal credentials, or clicking a link that installs malware. Phishing is responsible for a vast majority of data breaches.
Spear phishing – Spear phishing attacks are highly targeted attacks directed at specific individuals or organizations. Attackers research their targets and use personalized information (name, job title, interests, recent activities) to make the emails seem more credible and convincing.
Whaling – This is a type of spear phishing specifically targeting high-profile individuals within an organization, such as senior executives or board members (“whales”), due to their high level of access and authority.
CEO Fraud / Business Email Compromise (BEC) – CEO fraud is a type of phishing or spear phishing scam that involves impersonating a CEO or other high-level executive, often instructing employees (typically in finance or HR) to perform urgent actions like initiating wire transfers, changing payroll details, or sending sensitive information.
Domain Spoofing – Attackers forge the sender address to make an email appear to come from a legitimate company domain, manipulating victims into trusting the email’s content. Implementing DMARC can help prevent direct domain spoofing.
Learn about other types of social engineering attacks.
How to Prevent Social Engineering?
Preventing social engineering requires a combination of technical controls and user awareness. Here are some tips on how to prevent social engineering attacks and protect yourself and your organization:
- Install and Maintain Security Software: Make sure you have good antivirus and anti-malware software installed on all your devices and computers. Keep these programs, as well as your operating system and applications, up to date with the latest patches to protect against known vulnerabilities.
- Be Skeptical of Unsolicited Communications: Don’t open suspicious emails or attachments, especially from people who aren’t in your circle of trust or whom you don’t know. This includes emails claiming to be from your bank, credit card company, or other services if they seem unusual or ask for sensitive information.
- Verify Links and Senders: Don’t click on links in emails or messages unless you’re sure they’re safe—even if they appear to come from someone you know (their account could be compromised). Hover over links to check the destination URL. If there’s ever any doubt about whether an email is legitimate, contact the sender directly via a known, separate communication channel (like phone or text message) instead of replying to the suspicious email or clicking links within it. Always recheck the mail From address and Return-path address.
- Practice Strong Password Hygiene: Use strong, unique passwords for different accounts. Change them regularly. Avoid sharing passwords or writing them down where others can find them.
- Be Wary of Unsolicited Calls/Messages: Be cautious of unsolicited phone calls (vishing) or text messages (smishing) offering something “too good to be true” (like free prizes, investment opportunities, urgent warnings). Don’t provide personal information over the phone unless you initiated the call and know you’re speaking to a legitimate representative. Consider using caller ID identification applications.
- Enable Multi-Factor Authentication (MFA/2FA): Use two-factor authentication wherever possible. This adds an extra layer of security, meaning that even if someone steals your password, they will still need another piece of information (like a one-time code sent to your phone) to access your account.
- Implement Email Authentication: Set up email authentication protocols like SPF, DKIM, and DMARC for your domain. Configuring DMARC with a policy of p=reject helps secure your email channels against direct domain spoofing, phishing attacks, and domain abuse.
- Secure Physical Access: Be mindful of tailgating and ensure sensitive information is not easily visible to shoulder surfers. Lock your computer when you step away.
- Limit Information Sharing Online: Be cautious about the amount of personal information you share on social media and other public platforms, as attackers can use this information for spear phishing or pretexting.
- Browse Safely: Do not browse websites that are not secured over an HTTPS connection (look for the padlock icon and “https://” in the address bar), especially when entering sensitive information.
- Educate and Train: Raise awareness within your organization and educate yourself and employees about common types of social engineering attacks, tactics used, and warning signs. Regular training can significantly reduce susceptibility. Think twice before trusting people you interact with online whom you do not know in real life.
- Establish Clear Procedures: Implement clear policies and procedures for handling sensitive information requests, verifying identities, and escalating suspicious activities.
To Summarize
It’s important to protect against social engineering because it can result in significant financial losses, theft of personal and confidential information, compromised security systems, reputational damage, and serious data breaches.
No matter how good your IT team is at protecting your company from technical cyberattacks, the human element remains a potential vulnerability. You can never completely eliminate the risk of someone trying to get into your system through social engineering methods that target people’s trust and psychology. That’s why it’s so important to train employees continuously about identifying phishing emails, vishing calls, and other types of social engineering attacks, and to foster a culture of security awareness and caution.
