What is social engineering?

An email that seems to be from a trusted coworker requesting sensitive information, a threatening voicemail claiming to be from the IRS and an offer of riches from a foreign potentate are just a few examples of social engineering. Because social engineering uses psychological manipulation and exploits human error or weakness rather than technical or digital system vulnerabilities, it is sometimes called "human hacking."

Cybercriminals frequently use social engineering tactics to obtain personal data or financial information, including login credentials, credit card numbers, bank account numbers and Social Security numbers. They use the information that they have stolen for identity theft, enabling them to make purchases using other peoples’ money or credit, apply for loans in someone else’s name, apply for other peoples’ unemployment benefits and more. But a social engineering attack can also be the first stage of a larger-scale cyberattack. For example, a cybercriminal might trick a victim into sharing a username and password and then use those credentials to plant ransomware on the victim’s employer’s network.

Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices and accounts without having to do the difficult technical work of getting around firewalls, antivirus software and other cybersecurity controls. This is one reason why social engineering is the leading cause of network compromise today according to ISACA's State of Cybersecurity 2022 report. According to IBM's Cost of a Data Breach report, breaches caused by social engineering tactics (such as phishing and business email compromise) were among the most costly.

Social engineering tactics and techniques are grounded in the science of human motivation. They manipulate victims’ emotions and instincts in ways proven to drive people to take actions that are not in their best interests.

Most social engineering attacks employ one or more of the following tactics:

• Posing as a trusted brand: Scammers often impersonate or "spoof" companies that victims know, trust and perhaps do business with often or regularly—so regularly that they follow instructions from these brands reflexively, without taking the proper precautions. Some social engineering scammers use widely available kits for staging fake websites that resemble those of major brands or companies.

• Posing as a government agency or authority figure: People trust, respect or fear authority (in varying degrees). Social engineering attacks play on these instincts with messages that appear or claim to be from government agencies (example: the FBI or IRS), political figures or even celebrities.

• Inducing fear or a sense of urgency: People tend to act rashly when scared or hurried. Social engineering scams can use any number of techniques to induce fear or urgency in victims. For instance, telling the victim that a recent credit transaction was not approved, that a virus has infected their computer, that an image used on their website violates a copyright and so on. Social engineering can also appeal to victims’ fear of missing out (FOMO), which creates a different kind of urgency.

• Appealing to greed: The Nigerian Prince scam, an email wherein someone claiming to be a Nigerian royal trying to flee his country offers a giant financial reward in exchange for the recipient’s bank account information or a small advance fee, is one of the best-known examples of social engineering that appeals to greed. This type of social engineering attack can also come from an alleged authority figure and creates a sense of urgency, which is a powerful combination. This scam is as old as email itself, but was still raking in USD 700,000 per year as of 2018.

• Appealing to helpfulness or curiosity: Social engineering ploys can also appeal to victims’ better nature. For instance, a message that appears to be from a friend or a social networking site can offer technical help, ask for participation in a survey, claim that the recipients’ post has gone viral and provide a spoofed link to a fake website or malware download.

Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people or taking some other damaging actions. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes, even an individual the recipient knows personally.

There are many types of phishing scams:

• Bulk phishing emails are sent to millions of recipients at a time. They appear to be sent by a large, well-known business or organization, such as a national or global bank, a large online retailer, a popular online payments provider and so on, and make a generic request such as "we’re having trouble processing your purchase, please update your credit information." Frequently, these messages include a malicious link that takes the recipient to a fake website that captures the recipient’s username, password, credit card data and more.

• Spear phishing targets a specific individual, typically one with privileged access to user information, the computer network or corporate funds. A scammer will research the target, often using information that is found on LinkedIn, Facebook or other social media to create a message that appears to come from someone the target knows and trusts or that refers to situations with which the target is familiar. Whale phishing is a spear phishing attack that targets a high-profile individual, such as a CEO or political figure. In business email compromise (BEC), the hacker uses compromised credentials to send email messages from an authority figure’s actual email account, making the scam that much more difficult to detect.

• Voice phishing or vishing, is phishing that is conducted through phone calls. Individuals typically experience vishing in the form of threatening recorded calls claiming to be from the FBI.

• SMS phishing, or smishing, is phishing through a text message.

• Search engine phishing involves hackers creating malicious websites that rank high in search results for popular search terms.

• Angler phishing is phishing using fake social media accounts that masquerade as the official accounts of trusted companies’ customer service or customer support teams.

According to the IBM X-Force® Threat Intelligence Index, phishing is the leading malware infection vector, identified in 41% of all incidents. According to the Cost of a Data Breach report, phishing is the initial attack vector leading to the most costly data breaches.

Baiting lures (no pun intended) victims into knowingly or unwittingly giving up sensitive information or downloading malicious code by tempting them with a valuable offer or even a valuable object.

The Nigerian Prince scam is probably the best-known example of this social engineering technique. More current examples include free but malware-infected games, music or software downloads. But some forms of baiting are barely artful. For example, some threat actors leave malware-infected USB drives where people will find them, grab them and use them because "hey, free USB drive."

In tailgating, also called "piggybacking", an unauthorized person closely follows an authorized person into an area containing sensitive information or valuable assets. Tailgating can be conducted in person, for example, a threat actor can follow an employee through an unlocked door. But tailgating can also be a digital tactic, such as when a person leaves a computer unattended while still logged in to a private account or network.

In pretexting, the threat actor creates a fake situation for the victim, and poses as the right person to resolve it. Very often (and most ironically) the scammer claims that the victim has been impacted by a security breach, and then offers to fix things if the victim will provide important account information or control over the victim’s computer or device. Technically speaking, almost every social engineering attack involves some degree of pretexting.

In a quid pro quo scam, hackers dangle a desirable good or service in exchange for the victim’s sensitive information. Fake contest winnings or seemingly innocent loyalty rewards ("thank your for your payment, we have a gift for you") are examples of quid pro quo ploys.

Also considered a form of malware, scareware is software that uses fear to manipulate people into sharing confidential information or downloading malware. Scareware often takes the form of a fake law enforcement notice accusing the user of a crime, or a fake tech support message warning the user of malware on their device.

From the phrase "somebody poisoned the watering hole", hackers inject malicious code into a legitimate web page that is frequented by their targets. Watering hole attacks are responsible for everything, from stolen credentials to unwitting drive-by ransomware downloads.

Social engineering attacks are notoriously difficult to prevent because they rely on human psychology rather than technological pathways. The attack surface is also significant: In a larger organization, it takes just one employee's mistake to compromise the integrity of the entire enterprise network. Some of the steps that experts recommend to mitigate the risk and success of social engineering scams include:

• Security awareness training: Many users don't know how to identify social engineering attacks. In a time when users frequently trade personal information for goods and services, they don’t realize that surrendering seemingly mundane information, such as a phone number or date of birth, can allow hackers to breach an account. Security awareness training, combined with data security policies, can help employees understand how to protect their sensitive data and how to detect and respond to social engineering attacks in progress.

• Access control policies: Secure access control policies and technologies, including multi-factor authentication, adaptive authentication and a zero trust security approach can limit cybercriminals' access to sensitive information and assets on the corporate network even if they obtain users' login credentials.

• Cybersecurity technologies: Spam filters and secure email gateways can prevent some phishing attacks from reaching employees in the first place. Firewalls and antivirus software can mitigate the extent of any damage done by attackers who gain access to the network. Keeping operating systems updated with the latest patches can also close some vulnerabilities that attackers exploit through social engineering. Additionally, advanced detection and response solutions, including endpoint detection and response (EDR) and extended detection and response (XDR), can help security teams quickly detect and neutralize security threats that infect the network through social engineering tactics.