Social engineering manipulates people into sharing information they shouldn’t share, downloading software they shouldn’t download, visiting websites they shouldn’t visit, sending money to criminals, or making other mistakes that compromise their personal or organizational assets or security.
An email that seems to be from a trusted vendor requesting updated credit card information, a threatening voicemail claiming to be from the IRS, an offer of riches from a foreign potentate—these are just a few examples of social engineering.
Because social engineering exploits human weaknesses rather than technical or digital system vulnerabilities, it is sometimes called ‘human hacking.’
In many instances, cybercriminals use social engineering tactics to obtain the kind of personal data—login credentials, credit card numbers, bank account numbers, Social Security numbers—they can use for identity theft, enabling them to make purchases with using peoples’ money or credit, apply for loans in other someone else’s name, apply for other peoples’ unemployment benefits, and more. But a social engineering attack can also be the first stage of a larger-scale cyberattack. For example, a cybercriminal might trick a victim into sharing a username and password—and then use those credentials to plant ransomware on the victim’s employer’s network.
Social engineering is attractive to cybercriminals because it enables them to access digital networks, devices and accounts without having to do the difficult technical work of hacking firewalls, antivirus software and other cybersecurity controls. This is one reason social engineering is the leading cause of network compromise today, according to ISACA's State of Security 2021 report. It’s also one of the most costly: according to IBM’s Cost of a Data Breach report, data breaches caused by social engineering attacks cost companies USD 4.10 million on average.
Social engineering tactics and techniques are grounded in the science of human motivation. They manipulate victims’ emotions and instincts in ways proven to drive people to take actions that are not in their best interests.
Most social engineering attacks employ one or more of the following tactics:
Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.
There are many types of phishing scams:
According to IBM’s Cost of a Data Breach report, phishing is the most common malware delivery method and the second most common cause of data breaches.
Baiting lures (no pun intended) victims into knowingly or unwittingly giving up sensitive information, or downloading malicious code, by tempting them with a valuable offer, or even a valuable object.
The Nigerian Prince scam is probably the best-known example of this social engineering technique. More current examples include free but malware-infected game, music or software downloads. But some forms of baiting are barely artful. For example, some scammers simply leave malware-infected USB drives where people will find them—and grab them and use them because ‘hey, free USB drive.’
In tailgating—also called ‘piggybacking’—an unauthorized person closely follows an authorized person into and area containing sensitive information or valuable assets. Tailgating can be physical—e.g, following an employee through an unlocked door. But tailgating can also be digital, such as when a person leaves a computer unattended while still logged in to a private account or network.
In pretexting the scammer creates a fake situation for the victim, and poses as the right person to resolve it. Very often (and most ironically) the scammer claims that the victim has been impacted by a security breach, and then offers to fix things if the victim will provide important account information, or control over the victim’s computer or device. (Technically speaking, almost every social engineering attack involves some degree of pretexting.)
In a quid pro quo scam, hackers dangle a desirable good or service in exchange for the victim’s sensitive information. Fake contest winnings or seemingly innocent loyalty rewards (‘thank your for your payment—we have a gift for you’) are examples of qui pro quo ploys.
Also considered a form of malware, scareware is software that uses fear to manipulate people into sharing confidential information or downloading malware. Scareware often takes the form of a fake law enforcement notice accusing the user of a crime, or a fake tech support message warning the user of malware on their device.
From the phrase ‘somebody poisoned the watering hole’—hackers inject malicious code into a legitimate web page frequented by their targets. Watering hole attacks are responsible for everything from stolen credentials to unwitting drive-by ransomware downloads.
Social engineering attacks are notoriously difficult to prevent because they rely on human psychology rather than technological pathways. The attack surface is also significant: In a larger organization, it takes just one employee's mistake to compromise the integrity of the entire enterprise network. Some of the steps experts recommend to mitigate the risk and success of social engineering scams include:
Put your people to the test through phishing, vishing and physical social engineering exercises.
Protect your organization from malicious or unintentional threats from insiders with access to your network.
Protect your users, assets and data by managing and preventing fraud before it occurs.
The best way to prevent a data breach is to understand why it’s happening. The Cost of a Data Breach report shares the latest insights into the expanding threat landscape and offers recommendations for how to save time and limit losses.
Phishing scams trick victims into divulging sensitive data, downloading malware, and exposing themselves or their organizations to cybercrime.
Cyberattacks are unwelcome attempts to steal, expose, alter, disable or destroy information through unauthorized access to computer systems.
Learn how multi-factor authentication strengthens security, meets regulatory compliance requirements, and supports a zero-trust security strategy.
Social engineering is one of the most common attack methods used by criminals to trick employees into downloading malware, using realistic pretexts to pave the way to a security compromise. IBM X-Force Red social engineering services put your people to the test through phishing, vishing and physical social engineering exercises.