Social engineering: Definition, examples, and techniques (2023)

Feature

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data. Train yourself to spot the signs.

By Josh Fruhlinger

Contributing writer, CSO |

(Video) What is Social Engineering?

What is social engineering?

Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems, or data.

For example, instead of trying to find a software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password.

(Video) What is Social Engineering in Cyber Security? Explained

Famous hacker Kevin Mitnick helped popularize the term 'social engineering' in the '90s, although the idea and many of the techniques have been around as long as there have been scam artists.

Even if you've got all the bells and whistles when it comes to securing your data center, your cloud deployments, your building's physical security, and you've invested in defensive technologies, have the right security policies and processes in place and measure their effectiveness and continuously improve, still a crafty social engineer can weasel his way right through (or around).

How does social engineering work?

The phrase "social engineering" encompasses a wide range of behaviors, and what they all have in common is that they exploit certain universal human qualities: greed, curiosity, politeness, deference to authority, and so on. While some classic examples of social engineering take place in the "real world"—a man in a FedEx uniform bluffing his way into an office building, for example—much of our daily social interaction takes place online, and that's where most social engineering attacks happen as well. For instance, you might not think of phishing or smishing as types of social engineering attacks, but both rely on tricking you—by pretending to be someone you trust or tempting you with something you want—into downloading malware onto your device.

This brings up another important point, which is that social engineering can represent a single step in a larger attack chain. A smishing text uses social dynamics to entice you with a free gift card, but once you tap the link and download malicious code, your attackers will be using their technical skills to gain control of your device and exploit it.

Social engineering examples

A good way to get a sense of what social engineering tactics you should look out for is to know about what's been used in the past. We've got all the details in an extensive article on the subject, but for the moment let's focus on three social engineering techniques — independent of technological platforms — that have been successful for scammers in a big way.

Offer something sweet. As any con artist will tell you, the easiest way to scam a mark is to exploit their own greed. This is the foundation of the classic Nigerian 419 scam, in which the scammer tries to convince the victim to help get supposedly ill-gotten cash out of their own country into a safe bank, offering a portion of the funds in exchange. These "Nigerian prince" emails have been a running joke for decades, but they're still an effective social engineering technique that people fall for: in 2007 the treasurer of a sparsely populated Michigan county gave $1.2 million in public funds to such a scammer in the hopes of personally cashing in. Another common lure is the prospect of a new, better job, which apparently is something far too many of us want: in a hugely embarrassing 2011 breach, the security company RSA was compromised when at least two low-level employees opened a malware file attached to a phishing email with the file name "2011 recruitment plan.xls."

Fake it till you make it. One of the simplest — and surprisingly most successful — social engineering techniques is to simply pretend to be your victim. In one of Kevin Mitnick's legendary early scams, he got access to Digital Equipment Corporation's OS development servers simply by calling the company, claiming to be one of their lead developers, and saying he was having trouble logging in; he was immediately rewarded with a new login and password. This all happened in 1979, and you'd think things would've improved since then, but you'd be wrong: in 2016, a hacker got control of a U.S. Department of Justice email address and used it to impersonate an employee, coaxing a help desk into handing over an access token for the DoJ intranet by saying it was his first week on the job and he didn't know how anything worked.

(Video) What is social engineering?

Many organizations do have barriers meant to prevent these kinds of brazen impersonations, but they can often be circumvented fairly easily. When Hewlett-Packard hired private investigators to find out which HP board members were leaking info to the press in 2005, they were able to supply the PIs with the last four digits of their targets' social security number — which AT&T's tech support accepted as proof of ID before handing over detailed call logs.

Act like you're in charge. Most of us are primed to respect authority — or, as it turns out, to respect people who act like they have the authority to do what they're doing. You can exploit varying degrees of knowledge of a company's internal processes to convince people that you have the right to be places or see things that you shouldn't, or that a communication coming from you is really coming from someone they respect. For instance, in 2015 finance employees at Ubiquiti Networks wired millions of dollars in company money to scam artists who were impersonating company executives, probably using a lookalike URL in their email address. On the lower tech side, investigators working for British tabloids in the late '00s and early '10s often found ways to get access to victims' voicemail accounts by pretending to be other employees of the phone company via sheer bluffing; for instance, one PI convinced Vodafone to reset actress Sienna Miller's voicemail PIN by calling and claiming to be "John from credit control."

Sometimes it's external authorities whose demands we comply with without giving it much thought. Hillary Clinton campaign honcho John Podesta had his email hacked by Russian spies in 2016 when they sent him a phishing email disguised as a note from Google asking him to reset his password. By taking action that he thought would secure his account, he actually gave his login credentials away.

5 types of social engineering

  1. Phishing, as we noted above, which also includes text-based smishing and voice-based vishing These attacks are often low-effort but widely spread; for instance, a phisher might send out thousands of identical emails, hoping someone will be gullible enough to click on the attachment.
  2. Spear phishing, or whaling, is a "high-touch" variation of phishing for high-value targets. Attackers spend time researching their victim, who's usually a high-status person with a lot of money they can be separated from, in order to craft unique and personalized scam communications.
  3. Baiting is a key part of all forms of phishing and other scams as well—there's always something to tempt the victim, whether a text with a promise of a free gift card or something much more lucrative or salacious.
  4. Pretexting involves creating a story, or pretext, to convince someone to give up valuable information or access to some system or account. A pretexter might manage to find some of your personally identifying information and use it to trick you—for instance, if they know what bank you use, they might call you up and claim to be a customer service rep who needs to know your account number to help with a late payment. Or they could use the information to imitate you—this was the technique used by those HP PIs we discussed above.
  5. Business email frauds combine several of the above techniques. An attacker either gains control of a victim's email address or manages to send emails that look like they're from that address, then start sending emails to subordinates at work requesting the transfer of funds to accounts they control.

How to spot social engineering attacks

The security company Norton has done a pretty good job of outlining some red flags that could be a sign of a social engineering attack. These apply across social and technological techniques, and are good to keep in the back of your mind as you try to stay on guard:

  • Someone you know sends an unusual message: Stealing or mimicking someone's online identity and then mining their social circles is relatively easy for a determined attacker, so if you get a message from a friend, relative, or coworker that seems off, be very sure you're really talking to them before you act on it. It's possible that your granddaughter really is on a vacation she didn't tell you about and needs money, or that your boss really does wants you to wire a six-figure sum to a new supplier in Belarus, but that's something for you to triple-check before you hit send.
  • A stranger is making an offer that's too good to be true: Again, we all laugh at the Nigerian prince emails, but many of us still fall for scams that trick us by telling us we're about to get something we never expected and never asked for. Whether it's an email telling you won a lottery you didn't enter or a text from a weird number offering you a free gift card just for paying your phone bill on time, if it feels too good to be true, it probably is.
  • Your emotions are heightened and you have to act now: Social engineering scammers play on strong emotions—fear, greed, empathy—to inculcate a sense of urgency specifically so you don't stop to think twice about scenarios like the ones we just outlined. A particularly pernicious technique in this realm is a tech support scam, which preys on people who are already nervous about hacks but not very tech savvy: you hear from an aggressive person who claims to be from Google or Microsoft, tells you that your system has been compromised, and demands that you change your passwords right away—tricking you into revealing your credentials to them in the process.

How to avoid being a victim of social engineering

Fighting against all of these techniques requires vigilance and a zero-trust mindset. That can be difficult to inculcate in ordinary people; in the corporate world, security awareness training is the number one way to prevent employees from falling prey to high-stakes attacks. Employees should be aware that social engineering exists and be familiar with the most commonly used tactics.

Fortunately, social engineering awareness lends itself to storytelling. And stories are much easier to understand and much more interesting than explanations of technical flaws. Quizzes and attention-grabbing or humorous posters are also effective reminders about not assuming everyone is who they say they are.

But it isn't just the average employee who needs to be aware of social engineering. As we saw, social engineers focus on high-value targets like CEOs and CFOs. Senior leadership often resists going to the trainings mandated for their employees, but they need to be aware of these attacks more than anyone.

(Video) Watch Out! 5 Most Common Social Engineering Attacks

5 tips for defending against social engineering

CSO contributor Dan Lohrmann offers the following advice:

  1. Train and train again when it comes to security awareness.
    Ensure that you have a comprehensive security awareness training program in place that is regularly updated to address both the general phishing threats and the new targeted cyberthreats. Remember, this is not just about clicking on links.
  2. Provide a detailed briefing “roadshow” on the latest online fraud techniques to key staff.
    Yes, include senior executives, but don’t forget anyone who has authority to make wire transfers or other financial transactions. Remember that many of the true stories involving fraud occur with lower-level staff who get fooled into believing an executive is asking them to conduct an urgent action — usually bypassing normal procedures and/or controls.
  3. Review existing processes, procedures, and separation of duties for financial transfers and other important transactions.
    Add extra controls, if needed. Remember that separation of duties and other protections may be compromised at some point by insider threats, so risk reviews may need to be reanalyzed given the increased threats.
  4. Consider new policies related to “out of band” transactions or urgent executive requests.
    An email from the CEO’s Gmail account should automatically raise a red flag to staff, but they need to understand the latest techniques being deployed by the dark side. You need authorized emergency procedures that are well-understood by all.
  5. Review, refine and test your incident management and phishing reporting systems.
    Run a tabletop exercise with management and with key personnel on a regular basis. Test controls and reverse-engineer potential areas of vulnerability.

Social engineering trends

ISACA’s latest report State of Security 2021, Part 2 (a survey of almost 3,700 global cybersecurity professionals) discovered that social engineering is the leading cause of compromises experienced by organizations, while PhishLabs’ Quarterly Threat Trends and Intelligence Report revealed a 22% increase in the volume of phishing attacks in the first half of this year compared to the same period in 2020. Recent research by Gemini has also illustrated how cyber-criminals use social engineering techniques to bypass specific security protocols such as 3D Secure to commit payment fraud.

Related:

  • Social Engineering
  • Phishing
1 2 Page 1 Next

Page 1 of 2

FAQs

What is an example of a social engineering technique? ›

Phishing. As one of the most popular social engineering attack types, phishing scams are email and text message campaigns aimed at creating a sense of urgency, curiosity or fear in victims.

What is social engineering and example? ›

Defining Social Engineering

Social engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear phishing, and CEO Fraud are all examples.

What is social engineering answers? ›

Social engineering is the tactic of manipulating, influencing, or deceiving a victim in order to gain control over a computer system, or to steal personal and financial information. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.

Which is the best definition of social engineering? ›

Social engineering is the act of exploiting human weaknesses to gain access to personal information and protected systems. Social engineering relies on manipulating individuals rather than hacking computer systems to penetrate a target's account.

Which of the following are examples of social engineering? ›

9 Most Common Examples of Social Engineering Attacks
  1. Phishing. ...
  2. Spear Phishing. ...
  3. Baiting. ...
  4. Malware. ...
  5. Pretexting. ...
  6. Quid Pro Quo. ...
  7. Tailgating: ...
  8. Vishing.
7 Oct 2022

What are the 5 types of social engineering? ›

Social engineering is a term that encompasses a broad spectrum of malicious activity. For the purposes of this article, let's focus on the five most common attack types that social engineers use to target their victims. These are phishing, pretexting, baiting, quid pro quo, and tailgating.

Which is an example of social engineering it essentials? ›

Answers Explanation & Hints: A social engineer attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords.

What is social engineering simple? ›

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. In cybercrime, these “human hacking” scams tend to lure unsuspecting users into exposing data, spreading malware infections, or giving access to restricted systems.

Which is an example of social engineering Mcq? ›

Explanation: Calling a help desk and convincing them to reset a password for a user account is an example of social engineering.

What is social engineering and types? ›

The term “social engineering” is a broad term that covers many cyber-criminal strategies. Social engineering involves human error, so attackers target insiders. The most common form of social engineering is phishing, which uses email messages.

What is the purpose of social engineering? ›

The purpose of social engineering is to convince a user that you represent a trusted institution. Social engineers will often attempt to develop a rapport by offering easily obtainable details, such as birthdate or phone number, as evidence of their legitimacy.

Why is social engineering important? ›

Social engineering is a popular tactic among attackers because it is often easier to exploit people than it is to find a network or software vulnerability. Hackers will often use social engineering tactics as a first step in a larger campaign to infiltrate a system or network and steal sensitive data or disperse ...

What is another term for social engineering? ›

Noun. Applied social science. social planning.

What is a common method used in social engineering? ›

The most common form of social engineering attack is phishing. Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites.

How common is social engineering? ›

The Average Organization Is Targeted by 700+ Social Engineering Attacks Annually. During a given year, organizations face an astonishing 700+ social engineering attacks ever year. Considering there are around 260 workdays annually, that means facing off against about 2.7 per day.

Which choice is an example of social engineering attacks? ›

Phishing

Phishing is a social engineering technique in which an attacker sends fraudulent emails, claiming to be from a reputable and trusted source.

Which of the following is not an example of social engineering? ›

5. Which of the following is not an example of social engineering? Explanation: Carding is the method of trafficking of bank details, credit cards or other financial information over the internet. Hence it's a fraudulent technique used by hackers and does not comes under social engineering.

What is social engineering in cyber security examples? ›

There are many different types of social engineering attacks. Some forms of social engineering are convincing emails or text messages infected with links leading to malicious websites. Others involve more effort, like a phone call from a cybercriminal pretending to be tech support requesting confidential information.

What are the three basic types of social engineering? ›

Types of social engineering attacks
  • Pretexting social engineering attack. Pretexting is a sophisticated social engineering technique where the attacker collects information through cleverly-crafted lies in the form of a story or pretext. ...
  • Phishing attack. ...
  • Baiting attack.
8 Apr 2022

How many types of social engineering are there? ›

There are three main types of BEC social engineering attacks: Impersonation. This occurs when scammers use spoof emails to pose as employees or trusted vendors and clients.

What is an example of social engineering Cisco? ›

Lately, one of the employees from networking giant Cisco became leverage for attackers for a successful social engineering attack after an attacker gained control of a personal google account of the victim where credentials were being synchronized from his browser, compromising the credentials of Cisco's employee.

Why do hackers use social engineering? ›

Criminals use social engineering tactics because it is usually easier to exploit your natural inclination to trust than it is to discover ways to hack your software.

What is a defense for social engineering? ›

One of the best methods of defense against social engineering is placing limits on the access each team member has in the system. Controlling the entirety of the system is much more manageable when only one component is under threat.

What is social engineering training? ›

Social engineering training gives people the tools they need to recognize threats, which grooms more discerning, responsible employees who are better equipped to protect both themselves and their organization.

What is social engineering testing? ›

Social engineering penetration testing is the practice of attempting typical social engineering scams on a company's employees to ascertain the organization's level of vulnerability to that type of exploit.

Which of the following is the best example of reverse social engineering? ›

Explanation. When a hacker pretends to be a person in authority to get a user tell them information, it is an example of reverse social engineering.

What are the three types of scanning? ›

Scanning is primarily of three types. These are network scanning, port scanning, and vulnerability scanning.

What are the 3 principles of information security? ›

When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

Which is an example of social engineering it essentials? ›

Answers Explanation & Hints: A social engineer attempts to gain the confidence of an employee and convince that person to divulge confidential and sensitive information, such as usernames and passwords.

Which of the following is not an example of social engineering? ›

5. Which of the following is not an example of social engineering? Explanation: Carding is the method of trafficking of bank details, credit cards or other financial information over the internet. Hence it's a fraudulent technique used by hackers and does not comes under social engineering.

Is Dumpster diving a social engineering technique? ›

Dumpster diving is listed by many as a social engineering attack, but to me it is more physical security, as a social engineering attack requires someone to engineer. This smelly method of attack yields interesting results.

Which is an example of social engineering Mcq? ›

Explanation: Calling a help desk and convincing them to reset a password for a user account is an example of social engineering.

What is the most common method of social engineering? ›

The most common form of social engineering attack is phishing. Phishing attacks exploit human error to harvest credentials or spread malware, usually via infected email attachments or links to malicious websites.

Why is social engineering effective? ›

In today's world, social engineering is recognized as one of the most effective ways to obtain information and break through a defense's walls. It is so effective because technical defenses (like firewalls and overall software security) have become substantially better at protecting against outside entities.

What type of communication can be used in social engineering? ›

Commonly, social engineering involves email or other communication that invokes urgency, fear, or similar emotions in the victim, leading the victim to promptly reveal sensitive information, click a malicious link, or open a malicious file.

How do social engineers successfully manipulate people? ›

Attackers focus on creating a good fabricated scenario where they can manipulate and steal their victims' personal information. They do this by establishing a trusting relationship with the target to put them in a relaxed and comfortable state where it is easier to gain useful or sensitive information.

Which is not a common technique used by social engineers? ›

Examples that would not involve social engineering could include hacking, downloading code on non-secure websites (Drive-by Downloads), Bluetooth attacks, and plenty of others.

Which two precautions can help prevent social engineering? ›

Some Quick Tips to Remember:
  • Think before you click. ...
  • Research the sources. ...
  • Email spoofing is ubiquitous. Hackers, spammers, and social engineers are out to get your information, and they are taking over control of people's accounts. ...
  • Don't download files you don't know. ...
  • Offers and prizes are fake.

What is social engineering attacks Techniques & Prevention? ›

Social engineering is the act of manipulating people to take a desired action, like giving up confidential information. Social engineering attacks work because humans can be compelled to act by powerful motivations, such as money, love, and fear.

Is social engineering a phishing? ›

A social engineering attack is when a web user is tricked into doing something dangerous online. There are different types of social engineering attacks: Phishing: The site tricks users into revealing their personal information (for example, passwords, phone numbers, or social security numbers).

Is shoulder surfing a social engineering technique? ›

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder.

Which of the following are examples of social engineering attacks select three? ›

The following are the five most common forms of social engineering attacks.
  • Phishing.
  • Baiting.
  • Pretexting.
  • Scareware.
  • Business Email Compromise (BEC)
6 Jul 2022

Which of the following is the best example of reverse social engineering? ›

Explanation. When a hacker pretends to be a person in authority to get a user tell them information, it is an example of reverse social engineering.

What are the three types of scanning? ›

Scanning is primarily of three types. These are network scanning, port scanning, and vulnerability scanning.

Videos

1. What is Social Engineering || Types of Social Engineering Attacks || Shoulder Surfing | Eavesdroppin
(Masters in I.T)
2. Social Engineering Definition | Ethical Hacking
(Last Minute Study)
3. Social Engineering Attacks Examples | Information Technology Videos
(Easy Technology)
4. Social Engineering (Lesson 1) The Art of Deception
(ClipTraining)
5. Social Engineering Techniques
(NTT Security (US) Inc.)
6. Hacking Humans : Social Engineering Techniques and How to Protect Against Them - Stephen Haunts
(NDC Conferences)
Top Articles
Latest Posts
Article information

Author: Sen. Ignacio Ratke

Last Updated: 01/24/2023

Views: 6556

Rating: 4.6 / 5 (56 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Sen. Ignacio Ratke

Birthday: 1999-05-27

Address: Apt. 171 8116 Bailey Via, Roberthaven, GA 58289

Phone: +2585395768220

Job: Lead Liaison

Hobby: Lockpicking, LARPing, Lego building, Lapidary, Macrame, Book restoration, Bodybuilding

Introduction: My name is Sen. Ignacio Ratke, I am a adventurous, zealous, outstanding, agreeable, precious, excited, gifted person who loves writing and wants to share my knowledge and understanding with you.