Security awareness

What is a social engineering attack?

Emma Waite
November 28, 2023 by
Emma Waite

As you build and grow your business, hearing buzz terms about various cybersecurity risks, you might ask yourself some key questions: What is social engineering, why is social engineering effective and how do social engineers successfully manipulate people? 

The most important question to ask yourself, your leaders, and your cybersecurity team is: How can you protect yourself from social engineering? 

We will address these vital questions and much more in this blog post. 

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

What is social engineering? 

Social engineering refers to various deceptive psychological techniques to manipulate someone into thinking certain thoughts, revealing confidential information or performing specific actions. This nefarious concept was adopted by cybercriminals and has become a favorite form of gaining entry into systems to steal information and funds or perform other illicit activities. 

As organizations invest more in cybersecurity tools to improve their defenses, social engineering remains an easy way to bypass those protections. In short, why pick the lock if you can simply trick a human into giving you the key. 

Consider this recent TikTok, posing the question, can you get in anywhere with a ladder? By simply acting like you belong and looking the part (carrying a ladder or clipboard), employees will regularly defer to "authority" and let social engineers walk right into sensitive areas. That same mentality carries over into the digital space as well. 

Clearly, social engineering attacks are an unfortunate and undeniable reality. However, as a business leader, you must find strategies and training to empower your workforce to keep your systems and crucial data secure. Understanding more about social engineering is vital to protect your employees, customers and your organization's reputation. 

Now that we have a basic definition, let's dive deeper into social engineering and social engineering prevention.  

We’ll explore how cybercriminals trick people online and how you and your employees can defend against social engineering fraud and protect against scams and manipulation. 

How do social engineering attacks work? 

Malicious actors in the cyber world may use different media, such as social media, telephone, text messages or email. If employees aren't familiar with the tricks social engineers use, it may be difficult for them to detect these suspicious requests. 

The hacker will play on an employee's sense of duty or desperation. They may call or send an email, posing as an IT professional in the organization who needs to check their computer remotely or verify the employee's login credentials. Social engineering tactics often create a sense of urgency.  

Without proper training and understanding of social engineering and how their best intentions could be used against them, employees may easily fall for various forms of manipulative strategies. 

Types of social engineering attacks 

Bad actors have tried to manipulate people since the beginning of time. The only difference between other forms of social engineering and IT-related deception techniques is the vast cyber landscape in which they do it. 

Consider the fact that 74% of breaches have a human element, and it's easy to see how widespread and effective these tactics are. 

With more information, you stand a much better chance of preparing your employees and management to identify social engineering strategies they may face and how to handle them without incident. 

Let's raise your security IQ and look at the most common types of social engineering attacks to help you and your team identify and prevent them. 

Phishing 

Phishing is a cybercrime where cybercriminals target an organization's employees, contacting them via email, telephone or text message. As mentioned earlier, cybercriminals pose as someone legitimate and trustworthy, such as an IT team member. These bad actors provide compelling reasons to share sensitive data, including passwords, personal information, banking and credit card details. The fraudsters use the information to commit identity and financial theft. 

Spearphishing 

Spearphishing is one of the social engineering examples related to phishing, but it is a far more targeted attack. While phishing sets out to scam large swathes of people using psychological strategies, spearphishing is far more specifically targeted. 

This attempt to acquire sensitive information or access to someone's computer system relies on sending phony messages that seem real. The hackers in these campaigns do more homework to gain insights into their individual targets, identifying their interests, habits and personal vulnerabilities. 

Like other social engineering strategies, spearphishing exploits positive human traits, such as your employees' desire to be helpful or respond positively to authority. One way cybercriminals do this is by compromising an email or messaging system, such as via ordinary phishing tactics, or using an email infrastructure vulnerability to launch a spearphishing attack, notes CSO. 

But that is only the first step in this long con. The ultimate goal is to get insider information, bringing up real past conversations with employees or referencing specific sums of money for a previous transfer. 

Attackers might trick financial executives into sending money to their bank accounts. Another strategy is to use fake invoices to con accounts payable staff members to send money. 

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

Pretexting 

Pretexting takes cyber deception to new depths. The hacker crafts a false story, or pretext, to gain an employee's trust. The fabrication is often so compelling that it manipulates the victim into downloading malware, sending funds to the fraudsters or sharing sensitive organizational information. 

Pretexting and business email compromise (BEC) attacks have doubled in recent years and are perhaps more elaborate since they may involve multiple messages or vectors, such as phone calls combined with messages, to build trust. 

The attacker typically seeks to establish trust with their victims. They may impersonate IT leaders or team members, bank representatives, co-workers, police and other authorities, and others who may have right-to-know authority over the victim. 

They ask questions that serve to confirm the victim's identity, giving them access to personal or organizational data. 

Baiting 

You are probably picking up on a theme as we continue discussing social engineering strategies with "baiting." It seems that hackers think of businesses and employees as potential fish on the line. 

Baiting is similar to phishing, but it kicks things up a notch, enticing victims with a tangible product or a popular streaming song or video. 

Malicious actors may post tempting offers — or easily and inadvertently clickable — website ads. These ads may be embedded in banners, sidebars or footers. Once someone clicks on them, they lead to malicious websites or further entice victims to download applications loaded with malware. 

If someone opens the malicious media, the program may release a virus that can spread throughout an entire network or lead to the exposure of personal and financial information to the bad actors. 

Additional types of social engineering schemes 

The types of social engineering listed above offer a small prism of what cybercriminals are capable of and what they resort to doing to create havoc. 

Here are a few more to keep in mind when planning cybersecurity training against social engineering for your team: 

  • Tailgating is sometimes called "piggybacking" and refers to a breach where an unauthorized person, or a cybercriminal, works their way into a restricted area of a system through manipulation. 

  • Dumpster diving is when a hacker physically searches for sensitive information like bank account, student loan, credit card or other confidential account information in the garbage. 

  • Scareware is what it sounds like, scaring victims into providing information. Culprits barrage victims with fictitious threats, false alarms and fear-inducing messages that make them think their system has incurred a malware infection or a virus. Scareware then prompts them to grant remote access or install malicious software to "correct the issue." 

  • Quid pro quo is defined as "something for something" in Latin. In social engineering, it means that the hacker offers something in exchange for information. This method puts your employees' integrity to the test. 

    Phishing simulations & training

    Phishing simulations & training

    Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

What is the best countermeasure against social engineering? 

Now that you know more about various types of social engineering examples, you're probably ready to find out how you can protect yourself from social engineering. The best strategy for preventing social engineering is cybersecurity training and awareness for employees, managers and executives. 

Here are some specific tips to include in security training sessions to keep everyone safe from social engineering: 

  • Do not open suspicious emails. Even if the email comes from a known source, an employee may be suspicious of the subject line and any preview text. It is always best to defer to the IT or security team before opening anything suspicious. 

  • Pause before reacting. Regarding social engineering ploys like scareware, ask employees to pause before reacting and certainly before responding. 

  • Update anti-virus and anti-malware software frequently. Always update software and turn on any automatic updates to ensure continuous protection. 

  • Conduct pentests. Pentesting, or ethical hacking, can help you determine your organization's real-time susceptibility to social engineering attacks, giving you ample time to act on the results. 

  • Create ongoing social engineering awareness campaigns. Continue informing your staff about the lurking dangers posed by cybercriminals, especially those focused on social engineering. Most people want to help and comply with requests by their managers and other authorities. You can help them understand that there are times when caution is more important. 

Reach out to our team to learn more about protecting against social engineering 

We are here to help you with FREE cybersecurity training resources and much more. Visit our IQ page to learn more about training your workforce to detect and defend against social engineering attempts. 

Emma Waite
Emma Waite

Emma has been with Infosec for five years supporting Infosec IQ in multiple capacities. She began her career with Infosec as a Client Success Manager and then transitioned to helping customers implement Infosec IQ as the Implementation Team Lead. Most recently she took on the role of Product Marketing Manager for IQ. In her "free" time, she is busy keeping up with three kids and two dogs, while tending to her garden.