Social engineering attacks have become increasingly prevalent in the digital age as cybercriminals have found new ways to exploit human nature for their own gain.
Simply put, social engineering attacks use deceptive messages designed to get someone to do something they would not otherwise do.
These attacks often involve psychological tactics such as a sense of urgency or authority. Attackers combine social engineerring with freely available personally identifiable information (PII) to craft a highly personalized and seemingly legitimate email.
In this article, we will explore what social engineering attacks are, how they work, the different types. We will also provide examples of each attack type and tips on how to identify and prevent social engineering attacks.
What is a social engineering attack?
As the name implies, social engineering attacks use deceptive tactics to get someone to do something they’d otherwise not do. Threat actors leverage psychological manipulation to accomplish this. In other words, they play on human emotions.
For example, an attacker may use psychological tactics such as a sense of urgency or authority combined with PII found on the open web to craft a highly personalized message that looks real.
Social engineering attacks often do not employ technical methods. Instead, the social engineer uses knowledge of human psychology (see “Psychological Tactics” below) to pull off the attack.
How do social engineering attacks work?
There are several types of social engineering attacks. However, most if not all share a common set of steps. These include:
- Research: The attacker acquires PII about their target(s) using the open internet. The attacker may acquire numerous PII this way, including a person’s name, contact info, employer, and interests. This data is gathered for two main reasons: (1) to locate and/or communicate with the target and (2) to craft a highly-personalized message.
- Crafting: Using the data gathered in the research phase, the attacker crafts the message. The social engineer uses techniques such as false authority (i.e., pretending to be someone important) to establish trust and legitimacy. Messages may be sent by email (phishing), text message (smishing), or voice (vishing), with email being the most common.
- Deception: The crafted message is used to deceive the target into performing a compromising action such as clicking on a malicious link, downloading malware, or entering login credentials.
- Deployment: The attacker sends the attack and waits for the target’s response. If successful, the attacker may access sensitive data (e.g., login info, financial data, etc.) or talk the victim into transferring or wiring money.
Psychological tactics
Many types of psychological tactics may be used in a social engineering attack. Among the most used are:
- Authority: The attacker pretends to be an authority figure to gain the victim’s trust and persuade them to share sensitive data, share login credentials, or send money. For example, a threat actor impersonates a government official or bank manager to trick the person into sending a payment for some “debt.”
- Urgency: The attacker creates a sense of urgency to get the victim to act without thinking. For example, the threat actor claims that the victim’s account has been hacked and that immediate action is needed to avoid deletion.
- Social proof: The attacker creates a false impression of consensus or popularity (“other people are doing it”) to get the victim to act. For example, the threat actor reaches out for donations with a list of fake testimonials.
- Reciprocity: The attacker creates a sense of obligation before requesting something. For example, the threat actor offers an “exclusive” or “free” gift, needing the victim to share personal info to claim the offer.
- Scarcity: The attacker creates a FOMO mindset by claiming that a high-quality product or service is heavily discounted or free. Of course, this is only for a limited time or a small number of people.
Types of social engineering attacks (with examples)
Perhaps the most common social engineering attacks against individuals are phishing, spear phishing, pretexting, and baiting. Below is a brief description of each attack and the tactics used. An example image of each attack type is also included.
Phishing
Phishing scams aim to obtain sensitive info like credit card numbers or passwords through scam emails or messages. Attackers often use urgency and scarcity to pressure recipients to act quickly, like clicking on a malicious link or sharing personal information. Vishing, smishing, and and malware attachments (usually a PDF) are also used.
You may be able to identify a phishing attack by errors in formatting or poor grammar. A strange email address, subject line or request may also indicate phishing.
Source: Ontech Systems, Inc.
Annotations: The image is annotated with red rectangles to highlight formatting errors, grammar mistakes, and other issues.
Spear phishing
Spear phishing is a more targeted type of phishing. In spear phishing attacks, the threat actor goes after a specific individual or group, such as an employee of a company.
A common purpose of spear phishing attacks is to steal credentials from an unsuspecting user to gain unauthorized access. Spear phishing involves a high level of sophistication and research (see example email).
In the example below, it is evident that the attacker acquired detailed public PII such as the victim’s name, employer, job title and role, and email address. The message is meticulously crafted, with the attacker even replicating the sender’s email address (likely using some spoofing technique).
In such a case, the recipient is best off contacting the sender by phone to confirm the request. Additionally, the person may notice that the messge’s tone deviates from how the person normally communicates.
For easy reference, the table below highlights some of the differences between phishing and spear phishing.
| Phishing | Spear Phishing | |
| Target | Broad target, usually a large group of people | Specific individual |
| Approach | Mass emails or messages, typically not personalized | Personalized messages with specific details |
| Purpose | Obtaining sensitive info such as passwords, stealing money | Obtaining sensitive info for gaining access to a specific system or account, stealing money |
| Tactics | Uses generic, non-personalized language and design | Uses specific and personalized language, likely to come from a known source or authority figure |
| Level of sophistication | Typically low, relies on the volume of emails or messages | A higher level of sophistication and research; requires more effort to execute |
| Example | A fraudulent email that appears to come from a bank requesting login info | An email that appears to come from a supervisor requesting sensitive information or a wire transfer |
Pretexting
Pretexting is a social engineering scam that uses a false scenario to gain sensitive financial info (e.g., credit card numbers, bank account numbers) or credentials to access a system (e.g., username and password). The threat actor often uses impersonation, urgency, and authority to trick the victim into providing this info.
In the exampl below, the email is poorly formatted with several grammatical and punctuation mistakes. Additionally, notice the “Caution” message under the subject line warning the user that the email came from outside the organization. Not all security catches this, but if yours does, it’s best to report the incident and then trash the email.
Source: Central Washington University
Baiting
Baiting is a physical or virtual attack. In a virtual baiting attack, the attacker sends an mail promising a reward upon completing some easy task. For example, a relatively common baiting scam is promising a coveted gadget upon the completion of a survey. Attackers often use scarcity and urgency as psychological tactics in baiting attacks.
In the example below, there are some evident mistakes and errors. The most obvious is the lack of Google branding and poor formatting. It is generally uncommon for reputable companies to reach out to individuals via email offering gifts or rewards for using their services.
Source: Wiley
How to Prevent Social Engineering Attacks
There are several best practices people can follow to prevent social engineering attacks. Notice that most of these practices do not involve technical solutions, but rather common sense and a keen eye.
- Verify the source: One way to identify such attacks is to check the sender information on the email, which can serve as a reminder to confirm the sender’s identity before responding. If you are unsure about the authenticity of the sender, it is best to verify the source by contacting the organization directly or doing some more research if this is not possible.
- Use strong passwords: Strong passwords are more difficult for attackers to guess, adding a layer of protection for user credentials and other sensitive info. Be sure to use a different password for each account.
- Use two-factor authentication (2FA)/multi-factor authentication (MFA): Two-factor authentication (2FA) and multi-factor authentication (MFA) are additional security measures that prevent unauthorized access to sensitive accounts or systems. MFA adds a security factor beyond passwords and one-time codes (e.g., fingerprinting, facial recognition, etc.).
- Consider an External Data Privacy (EDP) solution: EDP tackles the problem of social engineering by going after its primary resource: exposed PII. The vast majority of attackers use free, publicly available PII almost exclusively. EDP scans for, removes, and monitors your PII from across the internet and Dark Web. This includes the worst offenders: Data Brokers and People Search Sites.
How Privacy Bee Can Help
Besides mitigating social engineering attacks, Privacy Bee helps build a privacy shield that deflects fraud, scams, spam, identity theft, data breaches, telemarketers, and more.
We do this by proactively deleting your info from Data Brokers, People Search Sites and mass marketers.
Privacy Bee works in 3 simple steps:
- Make your privacy choices: Choose the companies you trust and which need to delete the info they have on you.
- Create a multi-layered defense: We use the choices you made in the previous step to build your privacy shield. We immediately start deleting your info from Data Brokers, opting you out of mass marketing lists, and forcing companies you don’t with your data to delete it.
- Maintain: We give you plenty of tools to live a private life. These include a zero-trust browser extension and a comprehensive email scan to set your privacy preferences.
What are you waiting for? Get your free privacy evaluation today!
