Social engineering attacks manipulate people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational security. Because social engineering uses psychological manipulation and exploits human error or weakness rather than technical or digital system vulnerabilities, it is sometimes called ‘human hacking.’
An email that seems to be from a trusted coworker requesting sensitive information, a threatening voicemail claiming to be from the IRS, an offer of riches from a foreign potentate—these are just a few examples of social engineering.
Cybercriminals frequently use social engineering tactics to obtain personal data or financial information—login credentials, credit card numbers, bank account numbers, Social Security numbers—they can use for identity theft, enabling them to make purchases with using peoples’ money or credit, apply for loans in other someone else’s name, apply for other peoples’ unemployment benefits, and more. But a social engineering attack can also be the first stage of a larger-scale cyberattack. For example, a cybercriminal might trick a victim into sharing a username and password—and then use those credentials to plant ransomware on the victim’s employer’s network.
Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices and accounts without having to do the difficult technical work of getting around firewalls, antivirus software and other cybersecurity controls. This is one reason social engineering is the leading cause of network compromise today, according to ISACA's State of Cybersecurity 2022 report (link resides outside ibm.com). And according to IBM's Cost of a Data Breach 2022 report, breaches caused by social engineering tactics (such as phishing and business email compromise) were among the most costly.
See how IBM Security® QRadar® SIEM identifies and investigates anomalous behavior.
Social engineering tactics and techniques are grounded in the science of human motivation. They manipulate victims’ emotions and instincts in ways proven to drive people to take actions that are not in their best interests.
Most social engineering attacks employ one or more of the following tactics:
Posing as a trusted brand: Scammers often impersonate, or ‘spoof,’ companies that victims know, trust and perhaps do business with often or regularly—so regularly that they follow instructions from these brands reflexively, without taking the proper precautions. Some social engineering scammers use widely-available kits for staging fake web sites that resemble those of major brands or companies.
Posing as a government agency or authority figure: People trust, respect or fear authority (in varying degrees). Social engineering attacks play on these instincts with messages that appear or claim to be from government agencies (e.g. the FBI or IRS), political figures, or even celebrities.
Inducing fear or a sense of urgency: People tend to act rashly when scared or hurried. Social engineering scams can use any number of techniques to induce fear or urgency in victims—telling the victim that a recent credit transaction was not approved, that a virus has infected their computer, that an image used on their web site violates a copyright, etc. Social engineering can also appeal to victims’ fear of missing out (FOMO), which creates a different kind of urgency.
Appealing to greed: The Nigerian Prince scam—an email in which someone claiming to be a Nigerian royal trying to flee his country offers a giant financial reward in exchange for the recipient’s bank account information or a small advance fee—is one of the best-known examples of social engineering that appeals to greed. (It also comes from an alleged authority figure, and creates a sense of urgency—a powerful combination.) This scam is as old as email itself, yet as of 2018 was still raking in USD 700,000 per year.
Appealing to helpfulness or curiosity: Social engineering ploys can also appeal to victims’ better nature. For instance, a message that appears to be from a friend or a social networking site can offer technical help, ask for participation in a survey, claim the recipients’ post has gone viral—and provide a spoofed link to a fake website or malware download.
Phishing
Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.
There are many types of phishing scams:
Bulk phishing emails are sent to millions of recipients at a time. They appear to be sent by a large, well-known business or organization—a national or global bank, a large online retailer, a popular online payments provider, etc.—and make a generic request such as ‘we’re having trouble processing your purchase, please update your credit information.’ Frequently, these messages include a malicious link that takes the recipient to a fake web site that captures the recipient’s username, password, credit card data and more.
Spear phishing targets a specific individual, typically one with privileged access to user information, the computer network, or corporate funds. A scammer will research the target—often using information found on LinkedIn, Facebook or other social media—to create a message that appears to come from someone the target knows and trusts, or that refers to situations with which the target is familiar. Whale phishing is a spear phishing attack that targets a high-profile individual, such as a CEO or political figure. In business email compromise (BEC), the hacker uses compromised credentials to send email messages from an authority figure’s actual email account, making the scam that much more difficult to detect.
Voice phishing, or vishing, is phishing conducted via phone calls. Individuals typically experience vishing in the form of threatening recorded calls claiming to be from the FBI. But IBM’s X-Force recently determined that adding vishing to a targeted phishing campaign can increase the campaign’s success up to 3x.
SMS phishing, or smishing, is phishing via text message.
Search engine phishing involves hackers creating malicious websites that rank high in search results for popular search terms.
Angler phishing is phishing via fake social media accounts that masquerade as the official account of trusted companies’ customer service or customer support teams.
According to the IBM Security X-Force Threat Intelligence Index 2023, phishing is the leading malware infection vector, identified in 41% of all incidents. And according to the Cost of a Data Breach 2022 report, phishing is the initial attack vector leading to the most costly data breaches.
Baiting
Baiting lures (no pun intended) victims into knowingly or unwittingly giving up sensitive information, or downloading malicious code, by tempting them with a valuable offer, or even a valuable object.
The Nigerian Prince scam is probably the best-known example of this social engineering technique. More current examples include free but malware-infected game, music or software downloads. But some forms of baiting are barely artful. For example, some threat actors simply leave malware-infected USB drives where people will find them—and grab them and use them because ‘hey, free USB drive.’
Tailgating
In tailgating—also called ‘piggybacking’—an unauthorized person closely follows an authorized person into and area containing sensitive information or valuable assets. Tailgating can be conducted in person—e.g, a threat actor can follow an employee through an unlocked door. But tailgating can also be a digital tactic, such as when a person leaves a computer unattended while still logged in to a private account or network.
Pretexting
In pretexting the threat actor creates a fake situation for the victim, and poses as the right person to resolve it. Very often (and most ironically) the scammer claims that the victim has been impacted by a security breach, and then offers to fix things if the victim will provide important account information, or control over the victim’s computer or device. (Technically speaking, almost every social engineering attack involves some degree of pretexting.)
Quid pro quo
In a quid pro quo scam, hackers dangle a desirable good or service in exchange for the victim’s sensitive information. Fake contest winnings or seemingly innocent loyalty rewards (‘thank your for your payment—we have a gift for you’) are examples of qui pro quo ploys.
Scareware
Also considered a form of malware, scareware is software that uses fear to manipulate people into sharing confidential information or downloading malware. Scareware often takes the form of a fake law enforcement notice accusing the user of a crime, or a fake tech support message warning the user of malware on their device.
Watering hole attack
From the phrase ‘somebody poisoned the watering hole’—hackers inject malicious code into a legitimate web page frequented by their targets. Watering hole attacks are responsible for everything from stolen credentials to unwitting drive-by ransomware downloads.
Social engineering attacks are notoriously difficult to prevent because they rely on human psychology rather than technological pathways. The attack surface is also significant: In a larger organization, it takes just one employee's mistake to compromise the integrity of the entire enterprise network. Some of the steps experts recommend to mitigate the risk and success of social engineering scams include:
Security awareness training: Many users don't know how to identify social engineering attacks. And in a time when users frequently trade personal information for goods and services, they don’t realize that surrendering seemingly mundane information, such as a phone number or date of birth, can allow hackers to breach an accounts. Security awareness training, combined with data security policies, can help employees understand how to protect their sensitive data, and how to detect and respond to social engineering attacks in progress.
Access control policies: Secure access control policies and technologies, including multi-factor authentication, adaptive authentication and a zero trust security approach can limit cybercriminals' access to sensitive information and assets on the corporate network even, if they obtain users' login credentials.
Cybersecurity technologies: Spam filters and secure email gateways can prevent some phishing attacks from reaching employees in the first place. Firewalls and antivirus software can mitigate the extent of any damage done by attackers who gain access to the network. Keeping operating systems updated with the latest patches can also close some vulnerabilities attackers exploit through social engineering. And advanced detection and response solutions, including endpoint detection and response (EDR) and extended detection and response (XDR), can help security teams quickly detect and neutralize security threats that infect the network via social engineering tactics.
Put your people to the test through phishing, vishing and physical social engineering exercises. Uncover employee, process and policy vulnerabilities to reduce the risk that real social engineering attacks will succeed.
Text applications, networks, hardware and personnel to uncover and fix vulnerabilities that expose your most important assets to attacks. The X-Force® Red Portal enables everyone involved in remediation to view test findings immediately and schedule security tests at their convenience.
81% of SOC professionals say they are slowed down by manual investigations.1 Speed alert investigations with IBM Security QRadar® Suite, a modernized selection of security technologies featuring a unified analyst experience built with AI and automations.