What is social engineering?

Social engineering relies on human nature, rather than technical hacking, to manipulate people into compromising personal or enterprise security.

Isometric drawing showing different office personnel, all using IBM Security
What is social engineering?

Social engineering manipulates people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational assets or security.

An email that seems to be from a trusted vendor requesting updated credit card information, a threatening voicemail claiming to be from the IRS, an offer of riches from a foreign potentate—these are just a few examples of social engineering.

Because social engineering exploits human weaknesses rather than technical or digital system vulnerabilities, it is sometimes called ‘human hacking.’

In many instances, cybercriminals use social engineering tactics to obtain the kind of personal data—login credentials, credit card numbers, bank account numbers, Social Security numbers—they can use for identity theft, enabling them to make purchases with using peoples’ money or credit, apply for loans in other someone else’s name, apply for other peoples’ unemployment benefits, and more. But a social engineering attack can also be the first stage of a larger-scale cyberattack. For example, a cybercriminal might trick a victim into sharing a username and password—and then use those credentials to plant ransomware on the victim’s employer’s network.

Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices and accounts without having to do the difficult technical work of hacking firewalls, antivirus software and other cybersecurity controls. This is one reason social engineering is the leading cause of network compromise today, according to ISACA's State of Security 2021 report. It’s also one of the most costly: according to IBM’s Cost of a Data Breach 2021 report, data breaches caused by social engineering attacks cost companies USD 4.47 million on average.


How and why social engineering works

Social engineering tactics and techniques are grounded in the science of human motivation. They manipulate victims’ emotions and instincts in ways proven to drive people to take actions that are not in their best interests.

Most social engineering attacks employ one or more of the following tactics:

  • Posing as a trusted brand: Scammers often impersonate, or ‘spoof,’ companies that victims know, trust and perhaps do business with often or regularly—so regularly that they follow instructions from these brands reflexively, without taking the proper precautions. Some social engineering scammers use widely-available kits for staging fake web sites that resemble those of major brands or companies.
  • Posing as a government agency or authority figure: People trust, respect or fear authority (in varying degrees). Social engineering attacks play on these instincts with messages that appear or claim to be from government agencies (e.g. the FBI or IRS), political figures, or even celebrities.
  • Inducing fear or a sense of urgency: People tend to act rashly when scared or hurried. Social engineering scams can use any number of techniques to induce fear or urgency in victims—telling the victim that a recent credit transaction was not approved, that a virus has infected their computer, that an image used on their web site violates a copyright, etc. Social engineering can also appeal to victims’ fear of missing out (FOMO), which creates a different kind of urgency.
  • Appealing to greed: The Nigerian Prince scam—an email in which someone claiming to be a Nigerian royal trying to flee his country offers a giant financial reward in exchange for the recipient’s bank account information or a small advance fee—is one of the best-known examples of social engineering that appeals to greed. (It also comes from an alleged authority figure, and creates a sense of urgency—a powerful combination.) This scam is as old as email itself, yet as of 2018 was still raking in USD 700,000 per year.
  • Appealing to helpfulness or curiosity: Social engineering ploys can also appeal to victims’ better nature. For instance, a message that appears to be from a friend or a social networking site can offer technical help, ask for participation in a survey, claim the recipients’ post has gone viral—and provide a spoofed link to a fake website or malware download.

Types of social engineering attacks

Phishing

Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.

There are many types of phishing scams:

  • Bulk phishing emails are sent to millions of recipients at a time. They appear to be sent by a large, well-known business or organization—a national or global bank, a large online retailer, etc.—and make a generic request such as ‘we’re having trouble processing your purchase, please update your credit information.’
  • Spear phishing targets a specific individual, typically one with privileged access to user information, the computer network, or corporate funds. A scammer will research the target—often using social media—to create a message that appears to come from someone the target knows and trusts, or that refers to situations with which the target is familiar. Whaling is spear phishing that targets a high-profile individual, such as a CEO or political figure. In business email compromise (BEC), the hacker uses compromised credentials to send email messages from an authority figure’s actual email account, making the scam that much more difficult to detect.
  • Voice phishing, or vishing, is phishing conducted via phone calls. Individuals typically experience vishing in the form of threatening recorded calls claiming to be from the FBI. But IBM’s X-Force recently determined that adding vishing to a targeted phishing campaign can increase the campaign’s success up to 3x.
  • SMS phishing, or smishing, is phishing via text message.
  • Search engine phishing involves hackers creating malicious websites that rank high in Google search results for popular search terms.
  • Angler phishing is phishing via fake social media accounts that masquerade as the official account of trusted companies’ customer service or customer support teams.

According to IBM’s Cost of a Data Breach 2021 report, phishing is the most common malware delivery method and the second most common cause of data breaches.

Baiting

Baiting lures (no pun intended) victims into knowingly or unwittingly giving up sensitive information, or downloading malicious code, by tempting them with a valuable offer, or even a valuable object.

The Nigerian Prince scam is probably the best-known example of this social engineering technique. More current examples include free but malware-infected game, music or software downloads. But some forms of baiting are barely artful. For example, some scammers simply leave malware-infected USB drives where people will find them—and grab them and use them because ‘hey, free USB drive.’

Tailgating

In tailgating—also called ‘piggybacking’—an unauthorized person closely follows an authorized person into and area containing sensitive information or valuable assets. Tailgating can be physical—e.g, following an employee through an unlocked door. But tailgating can also be digital, such as when a person leaves a computer unattended while still logged in to a private account or network.

Pretexting

In pretexting the scammer creates a fake situation for the victim, and poses as the right person to resolve it. Very often (and most ironically) the scammer claims that the victim has been impacted by a security breach, and then offers to fix things if the victim will provide important account information, or control over the victim’s computer or device. (Technically speaking, almost every social engineering attack involves some degree of pretexting.)

Quid pro quo

In a quid pro quo scam, hackers dangle a desirable good or service in exchange for the victim’s sensitive information. Fake contest winnings or seemingly innocent loyalty rewards (‘thank your for your payment—we have a gift for you’) are examples of qui pro quo ploys.

Scareware

Also considered a form of malware, scareware is software that uses fear to manipulate people into sharing confidential information or downloading malware. Scareware often takes the form of a fake law enforcement notice accusing the user of a crime, or a fake tech support message warning the user of malware on their device.

Watering hole attack

From the phrase ‘somebody poisoned the watering hole’—hackers inject malicious code into a legitimate web page frequented by their targets. Watering hole attacks are responsible for everything from stolen credentials to unwitting drive-by ransomware downloads.


Social engineering defenses

Social engineering attacks are notoriously difficult to prevent because they rely on human psychology rather than technological pathways. The attack surface is also significant: In a larger organization, it takes just one employee's mistake to compromise the integrity of the entire enterprise network. Some of the steps experts recommend to mitigate the risk and success of social engineering scams include:

 

  • Security awareness training: Many users don't know how to identify social engineering attacks. And in a time when users frequently trade personal information for goods and services, they don’t realize that surrendering seemingly mundane information, such as a phone number or date of birth, can allow hackers to breach an accounts. Security awareness training, combined with data security policies, can help employees understand how to protect their sensitive data, and how to detect and respond to social engineering attacks in progress.
  • Access control policies: Secure access control policies and technologies, including multi-factor authentication, adaptive authentication and a zero trust security approach can limit cybercriminals' access to sensitive information and assets on the corporate network even, if they obtain users' login credentials.
  • Cybersecurity technologies: Spam filters and secure email gateways can prevent some phishing attacks from reaching employees in the first place. Firewalls and antivirus software can mitigate the extent of any damage done by attackers who gain access to the network. Keeping operating systems updated with the latest patches can also close some vulnerabilities attackers exploit through social engineering. And advanced detection and response solutions, including endpoint detection and response (EDR) and extended detection and response (XDR), can help security teams quickly detect and neutralize security threats that infect the network via social engineering tactics.