Social engineering attacks refer to a broad range of deceptive techniques used to trick victims into performing actions or divulging confidential information. These attacks differ from traditional computer hacking in that they don’t involve the exploitation of technical vulnerabilities. Instead, social engineering attacks rely on human error to access private information.
According to PurpleSec, 98% of cyberattacks rely to some extent on social engineering. Antivirus tools, while always helpful, are insufficient to protect against these threats. Enterprises need to develop comprehensive security awareness training programs that include components for addressing social engineering threats.
This guide will describe social engineering and how it works and provide recommendations for defending against these attacks.
Table of Contents
Social engineering attack life cycle
A social engineering attack is typically carried out in four stages: investigation, hook, play, and exit.
Investigation
Once a malicious actor identifies a target or victim, they start to gather as much information as possible about the individual. This process is also known as the information gathering stage.
The social engineer scouts for information available in the public domain such as names, titles, areas of interests, address, social media, and other personal data that could help them carry out an attack.
Hook or relationship development
After gaining intelligence about their victims, they make contact via social media, email, phone calls, text or other available mediums to establish relationships and ultimately gain their victim’s trust.
Play
Social engineers expand their foothold in this stage and start to exploit the vulnerabilities they find while developing a relationship with the victim.
They may send a link that looks legitimate and encourage the victim to click it, giving the attacker access to confidential data.
They might also attempt to manipulate victims into taking specific actions, such as transferring money, making purchases, canceling orders, or divulging more sensitive information.
Exit
After a successful attack, social engineers usually attempt to cover their tracks to prevent detection and prosecution. They may delete logs, encrypt data, or use stolen credentials to commit additional crimes.
7 types of social engineering attacks
There are several different types of social engineering attacks, including phishing, baiting, tailgating, pretexting, and more — each with a different methodology. These attack methods can be used to access valuable and sensitive information from your organization or its employees.
Phishing
By far the most common type of socially engineered attack, phishing occurs when an attacker uses deception to trick people into disclosing personal information such as usernames, passwords, or credit card details.
Phishing attacks typically come via email or instant messaging. Some types of phishing include:
- Vishing: Voice-based phishing that uses interactive voice response systems.
- Spear phishing: Phishing attacks targeting specific organizations or individuals.
- Angler phishing: Attacks carried out via spoof customer service accounts on social media.
- Smishing: SMS-based phishing.
Baiting
Baiting is another social engineering attack where an attacker lures their victim by offering something they want. This bait could be a new job offer, free tickets to a music festival, free merchandise, or infected devices.
The key here is that baiting involves enticing victims with something they want or need in order to encourage them to disclose confidential information.
Tailgating
A tailgater is a person who follows closely behind someone else through an open door or gate without permission. For example, in computer security, tailgating occurs when an unauthorized person gains entry to a secure area by following closely behind an authorized person with valid entry credentials.
It is often described as the art of sneaking into places because it relies on misdirection and concealment rather than brute force. It relies on the natural goodwill of people to be helpful to strangers who may have lost or forgotten their credentials.
Whaling
Whaling is a type of social engineering attack aimed at C-level executives. These attacks typically involve impersonation, and they’re meant to exploit greed, carelessness, and even desperation.
When well executed, this type of attack can be particularly effective because C-suite executives usually have higher clearance levels and more resources at their disposal.
Pretexting and quid pro quo
One of the more insidious forms of social engineering attacks is pretexting. A pretext is an excuse to justify a request for information, especially over a phone call or email conversation.
Quid pro quo (literally “something for something” in Latin) is a social engineering attack whereby the attacker makes a seemingly harmless request and offers something of value.
Scareware
This social engineering attack is used to scare users into purchasing software or services they don’t need. Scareware is a form of malware that creates a sense of urgency by lying to and alarming end users with exaggerated claims of infection, infestation, or imminent danger.
Business email compromise (BEC)
BEC is a type of social engineering attack that targets business email accounts, and it’s quickly becoming one of the most dangerous threats to businesses.
According to the FBI Internet Crime Report 2022, the IC3 received 21,832 BEC complaints with adjusted losses of over $2.7 billion in 2022.
Companies must implement measures to verify and validate payments and purchase requests outside of email to avoid BEC attacks.
7 best practices for preventing social engineering
Social engineering attacks can be deceptively easy to pull off. However, there are several methods, such as staying on top of education and training efforts and implementing strong password and multifactor authentication policies, that savvy information security professionals — and other employees — can use to stay ahead of these schemes.
Here are some social engineering best practices that could help:
Educate employees about social engineering attacks
If your employees don’t know what a social engineering attack is, they won’t recognize it when it happens. Educating them on what an attack looks like, what red flags they should look out for, and who they should report suspicious activity to will help keep your organization safe.
Train employees on proper security behavior
After you educate your employees about potential threats, teach them how to handle those situations appropriately with hands-on training opportunities.
For example, teach them not to open attachments from unknown senders; if something seems fishy, contact IT immediately; and never give personal information over email or phone unless they verify the requestor’s identity.
Simulate a social engineering attack
Simulating a social engineering scenario within the organization is a good test to see how employees respond to an attack. This process can be carried out without giving employees prior notice; the percentage of pass versus fail will give companies an idea of how well the staff are prepared and areas that could use some improvement.
It’s important not to use this test as a means of retaliating against noncompliant employees. Instead, use it as a barometer across the organization to determine the overall effectiveness of your training initiatives, and where you may need to focus on additional remediation.
Implement strong password policies
Strong passwords require special characters, upper and lowercase letters, numbers, and symbols. In addition, they must be at least 12 to 16 characters long and changed every three months.
Weak passwords, on the other hand, include birthdays, names of family members or pets, and easily guessed words found in dictionaries.
Changing your password regularly makes it harder for social engineers to guess or crack your password and access your accounts. Use a password manager to help you create and store secure passwords.
Use two-factor or multifactor authentication (2FA or MFA)
MFA adds another layer of protection by requiring users to verify their identity through another method besides just a username and password. This often involves entering a code sent via text message or receiving an automated call before being granted access, but it could be any number of items, including tokens, biometrics, smart cards, or even retina scans.
Limit employee access privileges
Limiting an employee’s access to only what they need for their job reduces opportunities to accidentally or intentionally expose sensitive information. Also, giving employees access to sensitive information only on a need-to-know basis will help prevent them from inadvertently or deliberately sharing that information with others.
Regularly update software with patches
Regularly updating software ensures that all known vulnerabilities have been addressed. Patches are designed to fix security holes in software, but hackers can exploit them if they aren’t installed, so install patches as soon as they become available.
Bottom line: Social engineering attack prevention
Malicious actors constantly upgrade their social engineering techniques and devise new means to gain victims’ trust. Companies must educate their employees regularly to prevent these occurrences, in addition to maintaining strong password health, access controls, and a robust antivirus solution.
A managed security provider (MSP) can help your organization monitor and improve your overall security stack. Here are the best MSPs to help protect your networks and data.