What is social engineering?
Social engineering definition
Social engineering is a broad range of psychological manipulation techniques that involve direct human interaction. Cybercriminals use social engineering to trick people into giving away confidential information or performing a certain action. Trust, stress, and greed are natural feelings that social engineers use against people to cloud their judgment.
Read on to learn more about the most common social engineering attacks and how to protect yourself against them.
How does social engineering work?
Social engineering works by exploiting the target's emotions. Malicious actors use different psychological manipulation techniques to induce strong emotional responses (such as fear or excitement) which may cloud the victim's thinking. Once rattled, social engineering victims can make security mistakes or uninformed decisions, exposing themselves to dangers such as having their money stolen, their data hijacked, or their identity stolen.
In the online space, social engineers approach potential victims with targeted messages that include specific scenarios (such as a stolen bank account or huge lottery winnings). If the target falls for the ruse, they may voluntarily click on suspicious links, transfer money, download malware, or give away sensitive data (such as login credentials).
Types of social engineering attacks
While the most common social engineering attacks are phishing attacks, malicious actors have a versatile assortment when it comes to manipulating people. Here are the most popular types of social engineering attacks.
Phishing attacks
Phishing attacks are the type of cybercrime during which a cybercriminal uses emails to entice targets into clicking malicious links or downloading malware. To sell the scam, malicious actors usually pretend to be your bank, a government agency, a delivery company, or other organization you trust. Their goal is to have you open a phishing email and unwittingly download malware or click on a suspicious link that leads to a bogus website. The aim of these attacks is to trick you into disclosing sensitive information such as your login credentials, Social Security number, or your bank card number (including your credit card’s cvv code).
Phishing can come in different forms and methods. The most common include:
- A spoofed display name. The email appears to have been sent from a legitimate organization, but the domain name slightly differs from the one provided on the organization's website (for example, it includes an extra dash or number).
- Embedded links. The perpetrators might send an email asking you to click on a link to log back in to your account (even though you haven't changed your behavior on that site). Following the spoofed URL will lead to an infected website, where hackers can snatch your login credentials.
- Email attachments. Malicious actors may send invoices, order confirmations, and event invitations disguised as viruses or malware. Downloading them can lead to hijacked systems and stolen personal data.
Angler phishing attacks
Angler phishing attacks target social media users via spoofed customer service accounts. In an angler phishing attack, the hacker will reach out to customers who have recently posted a complaint and try to get their personal information or account credentials. Here's how scammers typically perform angler phishing attacks:
- 1.The attacker monitors social media feeds and waits for someone to tag a particular company with a complaint or question about their account.
- 2.The attacker answers back by posing as the company's customer support team (while using a fake social media account).
- 3.A few messages later, the scammer gains the target's trust and uses that to get access to their passwords and other confidential information as means to “try and help solve the issue.”
Spear phishing attacks
Spear phishing is a type of phishing that requires more effort but also comes with a 66% success rate (Barracuda data). This data exfiltration attack targets individuals and small groups. The perpetrators usually pretend to be a specific person you trust or report to.
For this social engineering attack to work, hackers need to do some research about their victim(s) and use that information against them. Hackers can gather a lot of this information from social media, such as email addresses, the brands the target trusts and follows, and the names and accounts of their friends. After completing the research, the hacker will email the victim with a realistic pretext to get more information.
Spear-phishing attacks are difficult — but not impossible — to recognize. To protect yourself:
- Always check the source of the email.
- Ask yourself whether the message sounds like a normal request.
- If it sounds suspicious, do not reply to the email and contact the person directly. Do this by sending them a separate email, giving them a call, or waiting to speak to them face to face.
Smishing attacks
Smishing attacks are like phishing attacks, except for one significant difference — smishing involves SMS text messaging instead of email. This type of social engineering attack has proven to be effective, likely due to its more personal nature.
Smishing scammers get your phone number through hacked databases or purchase it on the dark web. If it's personalized smishing, there’s also a small chance that the culprit could have gotten your phone number from a dumpster diving attack.
A common smishing attack might look like a text message asking you to rearrange delivery of a parcel by tapping a link. Or it could come in the form of a message from a bank asking you to confirm your identity via a suspicious URL.
These smishing links are dangerous. They often direct you to malicious websites that could steal even more of your data. In addition, scammers may use link manipulation to shorten or otherwise alter the URLs to trick you into downloading malware onto your device.
Vishing attacks
Vishing scammers pretend to be contacting you from a trustworthy organization using a phone call instead of a message or email. First, they will spoof their phone number to impersonate you or a company you trust. Hackers might use pre-recorded voice messages, text messages, or voice-to-text synthesizers to mask their identities. Others will even use humans from scam call centers or AI voice bots to expand the scope of their scam or make the attack more convincing.
Vishing hackers use a compelling pretext, such as suspicious activity on your bank account, overpaid/underpaid taxes, and contest winnings. Regardless of the technique, their primary goal is to get your sensitive information, which can be used to steal your identity, launch privilege escalation attacks, or use it for other social engineering attacks.
To determine if the call you're receiving is a vishing attempt, follow these tips:
- Question the company and the reason for the phone call. Have you ever heard of this company or have you ever done any business with it?
- Is the caller offering unrealistic financial gains from a contest you've never entered, or are they offering to help you with debt you've never heard of?
- Are they using hostile language to pressure you to give up your personal information?
All of these are warning signs of vishing.
Pretexting attacks
Pretexting is a social engineering attack that compares to phishing in its use of an emotionally enticing pretext. However, if phishing is based on fear and urgency, then a pretexting attack is the opposite – it's based on trust and rapport.
Pretexting requires bad actors to conduct a lot more research than for other social engineering techniques. As part of their preparation cybercriminals will gather as much information about the victim as possible and use it to pretend to be their friend or colleague. They won't just lie — they'll come up with a whole scenario to fool the target. In a company environment, these hackers will work their way up and won't stop with a single attack. Their goal is usually to get information from someone at a certain level of seniority.
It can be difficult to spot pretexting scammers due to the amount of research and effort they put into creating their fake persona. However, if someone seems to be too friendly and asks for data you shouldn't be sharing with anyone, don't be afraid to question them, because it could be a social engineering attack.
Here's a pretexting example of a tech-support scam:
- 1.A “tech-support representative” from a well-known company calls you.
- 2.They ask you to help them check whether an internal money-transfer system is working accurately, to help improve the customer experience.
- 3.If you agree, they ask you to transfer money into a designated bank account as well as for your login information for this company.
- 4.Once you transfer the money, the hacker steals it along with your login credentials.
Of course, pretexting hackers will assure you that the money transfer will be held temporarily and that it's all part of their routine company checks. Having identified themselves with bogus credentials, these cybercriminals sound confident, trustworthy, and professional. However, even if they sound confident in their ability, keep your guard up and double-check with those with seniority before complying with such requests.
Catfishing attacks
Catfishing is a cybercrime that occurs when scammers create fake social media profiles by using other people's photos, videos, and personal information. These fake identities are typically used to cyberbully or seek attention. Sometimes, they can also be used to extract money or the victim's personal details, especially in the case of confidence tricks, which rely on building trust with the victim before scamming them.
If you've made an online friend who is extremely nice but constantly finds excuses to not meet in person or to share information about themselves, it's very likely that you're being catfished. Here are some warning signs:
- Pity stories and requests for money
- Strange excuses such as why their webcam or phone doesn't work
- Excuses not to meet up or last-minute cancellations due to personal emergencies
- Offering to meet somewhere private rather than in a public place
Email phishing
Email phishing is the most common type of phishing that occurs when malicious actors send tons of phishing emails with malicious attachments or suspicious URLs to try and trick people into interacting with them. Some consider email phishing the same as spam phishing although spam letters may not always include phishing links. As for email phishing, scammers often use URL phishing methods to steal a target's sensitive data through such social engineering tricks as pretending to be a legitimate service and causing a sense of urgency.
In-session phishing
In-session phishing is a relatively fresh phishing method that’s been steadily growing throughout the past few years. It occurs when hackers hijack websites to send users fraudulent messages directing users to malicious websites or files with malware. The basic scenario of in-session phishing typically goes like this:
- 1.The user logs in to a legitimate website.
- 2.Scammers hijack the target’s browsing session by injecting malicious scripts into third-party ad networks, exploiting browser management vulnerabilities, or in rare cases, even using methods such as keylogging.
- 3.Scammers inject phishing prompts and other fraudulent messages into browsing sessions, inviting users to engage with the content. If the user follows the request, they can expose their important information (such as credit card details or 2FA passcodes) or download malware.
Search engine phishing
Search engine phishing (more commonly known as search engine poisoning [SEP] or search engine manipulation) is another subtle tactic that malicious actors use to hijack your data. Cybercriminals manipulate search engine results to make fraudulent or malicious websites appear at the top of search engine results pages, creating an impression of a reputable source. If the target clicks on a malicious search engine result, they’ll get taken to the fake website where scammers can perform data exfiltration and initiate malicious downloads.
Another type of SEP includes scammers paying for advertisements to appear at the top of the search engine’s results page (SERP) and lure people to a phishing website that is a duplicate of the original one. If the target buys something on the fraudulent site, malicious actors will acquire their payment information, exposing the victim to financial danger.
To protect yourself from becoming a victim of search engine poisoning:
- Always check URLs in the search engine’s page to see if they match the original website (you can use NordVPN's Threat Protection Pro™ search results safety indicator feature for this).
- Use two-factor authentication (2FA) to safeguard yourself from unauthorized transactions.
Scareware attacks
If you ever find yourself being bombarded with false alarm messages or fictitious threats, it could be scareware. Scareware can be referred to as deception software, rogue scanner software, or fraudware.
In a scareware attack, you're tricked into thinking your device is infected with malware, prompting you to install software that downloads real malware onto your device.
Scareware can look like a popup banner that suddenly appears while you're browsing, saying something similar to: “Your computer may be infected with a virus.” If you click on this banner, you're either prompted to install a tool that will purge the virus, or you're directed to a malicious website that could further infect your device.
It's also worth noting that in these kinds of social engineering attacks, scareware can also be distributed via spam email that may attempt to convince you to buy worthless or harmful services.
Diversion theft attacks
Diversion theft attacks are designed to trick you into sending sensitive information to a scammer. By spoofing their email address, a diversion thief will pretend to be from an auditing firm, financial institution, or even someone from your workplace.
If a diversion theft attack is successful, the thief could get hold of highly confidential information about a company, files that contain company forecasts and plans, client information, or even personal information about the company's employees.
Baiting attacks
A baiting attack is a social engineering attack that uses bait to persuade you to do something that allows the hacker to infect your computer with malware. Many social engineers use USBs as bait, leaving them in offices or parking lots with labels like “Executives' Salaries 2019 Q4.”
People who find them are tempted by curiosity and insert them into a computer. The virus hidden within quickly spreads to their device. However, the use of USBs is decreasing, so baiting attacks are now mainly used on P2P websites (such as file sharing pages or cryptocurrency websites).
Threat actors exploit P2P websites for baiting by creating false mirroring sites. If someone stumbles upon such a website while looking to download a movie, they'll likely be downloading malware. You're always at risk downloading any files from an untrusted source, but to avoid being hacked, you can take precautions. Always double check the type of file you are getting, and make sure your antivirus is up to date.
Here are two quick tips to avoid being baited:
- Use anti-malware, ad blockers, and tracking blockers: NordVPN's Threat Protection Pro feature can help you with all of these areas.
- Stick to websites and retailers you know and trust: Always research companies before you buy from them. Check their website and URL for spelling mistakes and whether or not they're a registered company. Always be aware of what you're typing in because even one mistake can make you a victim of a typosquatting attack. You can also read customer reviews published by unbiased reviewing companies.
Quid pro quo
A quid pro quo attack happens when a scammer offers you a service in exchange for your personal information. A few years ago, quid pro quo attacks consisted of emails such as the Nigerian Prince scam where targets would find out that a Nigerian prince has died and you inherited all his money. All you needed to do was provide them with your bank details or send them a small “handling fee” so they could transfer you the money.
The most common quid pro quo attacks happen when hackers pretend to be IT support specialists. The victim usually has a minor problem with a device, or it needs a software update, so they don't question the caller. The impersonator tells them that they need to access their computer to fix the problem. Once they gain access, they install malicious software or steal other sensitive information.
Contact spam attacks
Contact spamming is one of the oldest techniques still used. A cybercriminal will hack into your email or your social media account and reach out to your friends with a message like, “I've seen this amazing video, check it out!”
Unfortunately, we tend to trust messages that seem to come from our close friends. But if you click on this link sent by a harmful text spammer, you will end up infecting your device with malware. What's even worse is that once these viruses spread to your device, they can spread the same message to your contacts, too.
Worryingly, xHelper — a malicious application that was discovered in 2019 — can even reinstall itself if uninstalled. So while it's easy to think you'd never fall for a phishing email or any other kind of social engineering attack, it's better to stay extra vigilant because the aftermath can be irreversible.
Piggybacking
Piggybacking refers to the type of social engineering technique where malicious actors exploit human error or behavior to get inside online or physical systems (for example, office buildings). While physical and digital piggybacking differ in their methods, they typically have one common denominator — someone inside the system or location who either intentionally or inadvertently assists the attacker.
In the case of online piggybacking, scammers may use phishing links to convince targets to provide login credentials for company systems and then use them to access sensitive information or gain access to the victim's other online accounts (such as social media). Meanwhile physical piggybackers may get access to the server rooms or other critical office infrastructure to install malware (via compromised USBs), cause distributed-denial-of-service (DDoS) attacks, and otherwise harm the company’s hardware (and therefore, software).
Safeguarding against online piggybacking involves turning on 2FA and remaining vigilant when it comes to phishing. Checking your network activity from time to time is also a good way to keep your systems safer from long-term damage. Protecting against physical piggybacking involves investing in physical security measures (such as entrance gates and employee keycards) and keeping an eye on any suspicious people loitering around the office premises.
Pig butchering
Pig butchering is one of the newest and most dangerous types of social engineering attacks. The enhanced danger of this attack lies in its non-traditional nature. Different from typical social engineering scams, pig butchering is not oriented into forcing victims to take quick action. Instead, scammers befriend their targets, usually conversing and earning their trust for months, until it becomes the time to strike. After gaining their target’s trust, malicious actors may “recommend” these new “friends” to invest in shady gambling sites or otherwise make financial transfers that often cannot be reversed, causing the victims huge financial loss. Pig butchering scams are often run by larger crime syndicates, which have the means of creating a network of well-trained scammers, each capable of stealing hundreds of thousands of dollars.
Tailgating
Tailgating is the same social engineering technique as piggybacking (with the terms often used interchangeably). The only small difference is that tailgating typically revolves around a bad actor gaining unauthorized access to physical locations (such as data centers or server rooms) without the victim’s knowledge. Meanwhile in piggybacking, scammers may get help from the inside, or in case of digital piggybacking, use online tools (such as session hijacking codes) to get free access to certain systems.
Watering hole attack
A watering hole attack is a type of cyberattack that mimics nature’s predators. Just like predators wait for their prey near water sources (or water holes), malicious actors find popular websites and silently compromise them to deliver advanced malware (such as ransomware or spyware) or steal as much sensitive data as possible. Scammers can inject websites with malicious code to infect devices or spoof login credentials, granting themselves access to crucial data (such as business secrets). That’s why watering hole attacks typically target specific companies or government agencies and particular industries, such as finance or IT.
Business email compromise (BEC)
Business email compromise is a cybercrime that can involve different social engineering schemes. During BEC, malicious actors may target company employees with fake invoices, contact them while pretending to be the CEO, or use phishing to gain access to their work accounts. Depending on the tactics chosen, the goal of BEC can range from stealing money to account hijacking and data theft.
Online security starts with a click.
Stay safe with the world’s leading VPN
Social engineering attack examples
One of the latest examples of social engineering attack occurred in 2023, when reports about Twitter data breach emerged. Attackers used a vulnerability in the platform’s application programming interface (API) and applied social engineering (pretended to be a legitimate insider) to manipulate Twitter employees into giving up access or credentials. The attacker gained access to users' data (such as private phone numbers and email addresses, usernames, screen names, following counts, and account creation dates) without having to use elaborate hacking skills.
Another instance of social engineering was the latest WhatsApp investment scam that left a woman in Cardiff with a loss of £50,000. The fraudsters approached the victim, pretending to be representatives of an investment firm, offering to help her invest in Bitcoin. They then pressured the target into providing access to her device, as a means to withdraw her earnings. Once the scammers got access to the target’s computer, they used the sensitive information (stored on the device) to log into the woman's bank account and steal more than £50,000.
Social engineering in cybersecurity
Social engineering is one of the biggest headaches in cybersecurity. With many different available tactics, organizations must invest tons of money and personnel into keeping the systems safe from attackers. And yet, with social engineering, the attack surface is so wide, all it takes is an employee clicking on a single phishing link to bring the whole company to its knees.
That’s why, as a viable precaution, cybersecurity experts recommend organizations use regular phishing tests to keep employees alert for potential attacks. Along with education, active co-worker testing can strengthen an organization’s resilience to social engineering attacks, adding to the overall company’s cybersecurity.
How to spot social engineering attack attempts
To spot social engineering attack attempts, you’ll need prior knowledge about how these attacks work. However, if you manage to awaken your inner skeptic when it comes to emails, phone calls, and text messages, you will have a higher chance of avoiding a scammer’s trap. Here’s what you should be wary of to potentially avoid successful social engineering attacks:
- Suspicious or unusual requests. If you’re contacted by someone who’s asking for your sensitive information (login credentials, Social Security number, employee’s security clearance) keep your guard up and double-check the sender’s credentials by contacting someone who can verify the identity of the sender (depending on the sender, it could be a service provider or personnel manager).
- Poor grammar and spelling errors. While scammers today often use perfect grammar, you can still find some cases of phishing that include poorly worded messages and tons of mistakes. Block those immediately.
- Strange links and attachments. If you receive an email or a text message that has a link or a file attached to it, act cautiously. Use a URL checker to verify links before clicking on them and tools such as NordVPN’s Threat Protection Pro™ to block malicious links and downloads.
- Offers that are too good to be true. When you’re dealing with suspicious offers, always remember the golden rule — if it sounds too good to be true, it most likely is.
- Discrepancies in email handles. It’s possible to copy almost everything about the person’s email — the signature, the writing style, the tone of voice. However, it’s impossible to create an exact replica of an email handle. If you’re suspicious about email, double check the sender’s email address and compare it to the official sources (for example, if it’s a service provider, you’ll be able to find it on the company’s official website). If the email addresses don’t match, do not respond.
- Inconsistency in communication. If you get an email from a known company (or a superior at work) and the wording of the message (or its tone in general) seems odd, it’s okay to question it. It’s especially important to be doubtful if the message is urgent and asks you to transfer money or click on suspicious links.
- Requests for too much access. If you receive a letter from a co-worker or a superior that includes a request for an unusual amount of information (or access to sensitive databases), double-check with them directly. Even if the matter is urgent and turns out to be legitimate, you’ll likely receive less scrutiny (or even get a pat on the back) for putting the company's cybersecurity first.
- Pressure to act quickly. This is one of the biggest indicators of a social engineering attack. Apart from some exceptions (such as the pig butchering scam), malicious actors will always try to instill a sense of urgency in their messaging. So if you feel pressured into providing information or clicking on dubious URLs, take your time and evaluate the situation before taking action.
How to prevent social engineering attacks
When you know how social engineering works, it becomes easier to safeguard yourself from becoming a victim. Here are some additional tips on how to prevent social engineering attacks:
- Educate yourself and others. If you run a company or manage a team, it's essential to educate your team about social engineering attacks. Penetration testing is a great way to find vulnerabilities in your network and educate your employees.
- Keep an eye out for grammar or spelling mistakes. Legitimate businesses tend to fine-tune their content before sending it out. Hackers, on the other hand, can leave countless grammatical and spelling errors that could indicate a social engineering attack.
- Don't be afraid to ask questions. If you think someone is trying to scam you over the phone, feel free to question their friendliness or their authority. Most importantly, listen for answers that don't match their story.
- Limit the information you share online. Oversharing information (such as phone numbers, workplace pictures, or even relationship status) on your social media or other online public domains can help someone gather information about you and use it for social engineering attacks.
- Take care of your software. Install regular updates, invest in antivirus software, install spam filters, and use browser privacy extensions.
- Use a VPN. A VPN will aid in safeguarding your identity online and preventing would-be hackers from intercepting your online traffic, especially on public Wi-Fi. NordVPN's Threat Protection Pro™ anti-phishing feature will also help protect yourself from visiting malicious websites and promote a positive security culture.
Online security starts with a click.
Stay safe with the world’s leading VPN