What is social engineering?

Learn effective strategies to safeguard your personal information and defend against social engineering, a cunning tactic used by cybercriminals to manipulate individuals.


What are social engineering attacks?

Social engineering attacks in computing are sophisticated methods used by cybercriminals to manipulate individuals into compromising their own security. These attacks often result in victims unknowingly sending money, disclosing sensitive personal or organizational information, or breaching security protocols.

The effectiveness of social engineering lies in its ability to exploit human emotions such as fear, curiosity, or empathy, leading individuals to act impulsively against their better judgment. By understanding and playing on these emotional triggers, attackers persuade victims to make decisions that may seem irrational in hindsight, such as downloading harmful software, visiting unsafe websites, or sharing confidential data.

How does social engineering work?

Social engineering involves psychological tactics to manipulate people into revealing sensitive information, crucial for system access or identity theft. It exploits human error, often through deceit or impersonation, leading to security breaches and data compromise, without relying on technical hacking methods.

Social engineering assaults are typically multi-step processes. Initially, the attacker researches the target to collect enough information and essential background details, identifying vulnerabilities and weak security measures crucial for the attack’s success. Following this, the attacker employs tactics like pretexting or impersonating authority figures to earn the trust of the victim. This manipulation is designed to elicit actions that compromise security, such as divulging confidential information or providing access to vital systems.

Social engineering attacks manipulate human psychology to bypass technical security measures. They carefully select their intended victim based of various factors. Key tactics include:

  1. Impersonation: Attackers often masquerade as reputable entities—big brands, government agencies, or authority figures—to gain trust. For example, they may create fraudulent websites mirroring major brands to deceive users into revealing sensitive information.
  2. Exploiting Emotions: These attacks commonly leverage emotions like fear, urgency, or greed. Scammers might send alarming messages about a compromised bank account, or entice victims with fraudulent promises of financial gain, such as the notorious ‘Nigerian Prince’ email scam.
  3. Preying on Goodwill or Curiosity: Social engineers also exploit a person’s natural inclination to help or their curiosity. They might send emails appearing to be from friends or social networks, asking for contact information, assistance or enticing users to click on a malicious link under the guise of an intriguing story or helpful resource.

Understanding these tactics is crucial for recognizing and thwarting social engineering attacks. They prey on human nature rather than technological flaws, making awareness and vigilance key defenses against such threats.

How to protect against social engineering attacks

Social engineering attacks can take many forms, from phishing emails to manipulation via phone calls or text messages. Because they primarily target human vulnerabilities rather than technological flaws, defending against them requires a combination of awareness, vigilance, and technological safeguards.

The following steps offer a comprehensive approach to enhance your defense against these increasingly common and sophisticated attacks:

  1. Use Multi-Factor Authentication: Implementing two-factor or multi-factor authentication is crucial. It adds an extra layer of security, ensuring that even if login credentials are compromised, unauthorized access is still prevented.
  2. Security Awareness Training: Regular training for all employees is vital to recognize and respond to social engineering attacks. This training should cover the identification of suspicious activities and the importance of not sharing sensitive information.
  3. Install a Strong Cybersecurity Program: Use comprehensive cybersecurity software, such as Malwarebytes, that can recognize and neutralize threats, including malicious websites, malvertising, malware, viruses, and ransomware.
  4. Implement Access Control Policies and Cybersecurity Technologies: Enforce strict access control policies, including adaptive authentication and a zero-trust security approach. Utilize technologies like spam filters, secure email gateways, firewalls, antivirus software, and keep systems updated with the latest patches.
  5. Turn Spam Filters On: Activate spam filters to block phishing emails and other forms of spam. While some legitimate emails might be filtered out, you can mitigate this by marking them as “not spam” and adding legitimate senders to your contacts list.
  6. Learn How to Spot Phishing Emails: Educate yourself and others on identifying phishing attempts. Look for red flags like mismatched sender addresses, generic salutations, unusual URLs, poor grammar, and offers that seem too good to be true.
  7. Disable Macros in Documents: Turn off macros in your software. Be cautious with email attachments that prompt you to enable macros, especially from unknown sources. If in doubt, verify the legitimacy of the attachment with the sender.
  8. Do Not Respond to Suspected Scams: Avoid responding to potential scams, whether via email, SMS, or phone calls. Responding confirms to scammers that your contact information is valid, encouraging more attempts. Forward suspicious texts to 7726 (SPAM) to help your carrier filter spam.

By implementing these strategies, you can create a robust defense system against social engineering attacks, safeguarding both your personal data and your organization’s sensitive information. Remember, staying informed and cautious is your first line of defense in the ever-evolving landscape of cybersecurity threats.

Types of social engineering attacks

Social engineering attacks predominantly occur through various [forms of phishing]( https://www.malwarebytes.com/phishing). These attacks exploit human psychology and trust, rather than relying on technical hacking methods. The effectiveness and prevalence of phishing make it a critical concern for both individuals and organizations. Here’s a more detailed breakdown of each type:

  1. Email Phishing: Attackers impersonate legitimate entities through emails, tricking recipients into revealing personal data or credentials. These emails often contain links to deceptive websites or malicious attachments.
  2. Bulk Phishing: This method involves sending the same phishing email to millions of people. The emails appear to be from recognizable organizations and often request personal information under false pretenses.
  3. Spear Phishing: A more targeted form of phishing, where attackers customize their messages for specific individuals using information sourced from social media or professional networks.
  4. Whale Phishing: A high-level spear phishing tactic aimed at senior executives or high-profile individuals. These attacks are highly personalized and often involve complex deception.
  5. Voice Phishing (Vishing): This technique uses phone calls to deceive individuals into divulging sensitive information. Attackers may pose as legitimate organizations or authority figures.
  6. SMS Phishing (Smishing): A variant of phishing conducted through text messages. These messages lure recipients into clicking on malicious links or divulging sensitive information.
  7. Search Engine Phishing: In this approach, attackers create fake websites that appear high in search engine results. When users visit these sites, they are at risk of information theft.
  8. Angler Phishing: This form exploits social media platforms, where attackers create fake customer service accounts to interact with victims, often leading them to phishing sites.

Following Phishing, the other social engineering methods are:

  1. Baiting: Tempts victims with a false promise of goods or services to steal information or install malware.
  2. Tailgating/Piggybacking: Involves unauthorized access to restricted areas by physically following an authorized person or digitally exploiting someone else’s active session.
  3. Pretexting: Attackers fabricate scenarios to extract sensitive information or gain access, often by posing as someone with authority or a need to verify identity.
  4. Quid Pro Quo: Offers a service or benefit in exchange for sensitive information, exploiting the victim’s desire for a good deal or reward.
  5. Scareware: Uses fear tactics to manipulate victims into installing malware or revealing confidential information.
  6. Watering Hole Attack: Targets specific groups by infecting websites they frequently visit, leading to data theft or malware installation.
  7. Trojan Attacks: Malware disguised as legitimate software, often spread through email attachments from seemingly trustworthy sources.
  8. Tech Support Scams: Deceive victims into believing their device is compromised and charge money for unnecessary “fixes.”
  9. Scam Calls: Involves using phone calls (including robocalls) to scam victims, often by posing as legitimate organizations or authorities.

Understanding these phishing methods and other social engineering tactics is crucial for safeguarding against these prevalent and evolving threats.

Examples of social engineering attacks

Here are some real-world examples of social engineering we’ve reported on over at Malwarebytes Labs. In each example, social engineering scammers are looking for the right target and the right emotional trigger. Sometimes the combination of target and trigger can be hyper-specific (as with a spear phishing attack). Other times, scammers may go after a much broader group.

The sextortion scam: In this first example, scammers are casting a wide net. The target? Anyone who watches porn. The victim is notified via email that their web cam has supposedly been hacked and used to record them watching adult videos. The scammer also claims they’ve hacked the recipient’s email account, using an old password as proof. If the victim doesn’t pay up via Bitcoin, the scammer threatens to release the video to all the victim’s contacts. Generally speaking, the scammer doesn’t have video of you and your old password is from a previously disclosed data breach.

The grandparent scam: This scam has been going around for years and targets anyone with living family, usually the elderly. Parents or grandparents receive a call or text message from the scammer, posing as a lawyer or law enforcement. The scammer claims the victim’s relative has been arrested or injured and needs money to cover bail, legal fees, or hospital bills. In the case of the SMS text message version of the scam, merely replying ends up costing the victim money.

The Social Security Number scam: In this grift, things start to narrow as it only applies to US citizens. The victim receives a prerecorded robocall purporting to be from the Social Security Administration. The message asserts the victim’s SSN has been “suspended” for “suspicious trails of information.” Never mind the fact that your SSN can’t be suspended, if the victim falls for the ploy and returns the call, they’ll be asked to pay a fine to straighten everything out.

The John Wick 3 scam: Here’s a good example of spear phishing. In this case the scammers are after a very specific target: a John Wick fan who enjoys comic books, but prefers to read them on Amazon Kindle. While searching for John Wick comics, the target is offered a free download for the third John Wick film—at the time of the scam, the movie hadn’t been released in theaters. Following the link embedded in the movie description takes the victim down a rabbit hole of illegal streaming sites for pirated movies.

Coronavirus scams: Scammers took note of the dearth of virus info, especially in the early days and months of the epidemic. As health officials struggled to get a grasp on the virus and how it spread from person to person, scammers filled in the blanks with bogus websites and spam emails.

We reported on spam emails masquerading as virus info from the World Health Organization. The emails actually contained malware-filled attachments. In another example, Labs reported on a COVID-19 tracking site that displayed infections around the world in real-time. Behind the scenes the site would load an info-stealer Trojan onto victims’ computers.

What is phishing?

What is spear phishing?

What is a vishing attack?

What is catfishing?

What is identity theft?


What is the difference between social engineering and reverse social engineering?

In social engineering, attackers approach targets to manipulate them into sharing information. In reverse social engineering, victims unknowingly initiate contact with deceptive attackers.