All examples of social engineering take advantage of human nature, such as the willingness to trust others, to trick individuals into divulging sensitive information. Despite its prevalence, social engineering can be challenging to distill into a single formula. It’s one of the reasons 82% of data breaches involve the human element.

Social engineering has become the backbone of many cyber threats, from phishing emails to smishing and vishing attacks. This blog post will outline many popular social engineering techniques and the emotions hackers use to dupe their victims.

9 Most Common Examples of Social Engineering Attacks

In no particular order, here are nine common cyber threats that leverage social engineering tactics to gain access to sensitive information. While most of these attacks occur online, several can rear their heads in physical spaces like offices, apartment buildings, and cafes.

1. Phishing

The most pervasive way of implementing social engineering, hackers will use deceptive phishing emails, websites, and text messages to steal sensitive personal or organizational information from unsuspecting victims. Despite how well-known phishing email techniques are, 1 in 5 employees still click on those suspicious links

2. Spear Phishing

This email scam is used to carry out targeted attacks against individuals or businesses. Spear phishing is more intricate than your average mass phishing email, as it requires in-depth research on potential targets and their organizations

3. Baiting

This type of attack can be perpetrated online or in a physical environment. The cyber criminal usually promises the victim a reward in return for sensitive information or knowledge of its whereabouts.

4. Malware

A category of attacks that includes ransomware, victims are sent an urgently worded message and tricked into installing malware on their device(s). Ironically, a popular tactic is telling the victim that malware has already been installed on their computer and that the sender will remove the software if they pay a fee.

5. Pretexting

This attack involves the perpetrator assuming a false identity to trick victims into giving up information. Pretexting is often leveraged against organizations with an abundance of client data, like banks, credit card providers, and utility companies.

6. Quid Pro Quo

This attack centers around an exchange of information or service to convince the victim to act. Normally, cyber criminals who carry out these schemes don’t do advanced target research and offer to provide “assistance,” assuming identities like tech support professionals.

7. Tailgating:

This attack targets an individual who can give a criminal physical access to a secure building or area. These scams are often successful due to a victim’s misguided courtesy, such as if they hold the door open for an unfamiliar “employee.”

8. Vishing

In this scenario, cyber criminals will leave urgent voicemails to convince victims they must act quickly to protect themselves from arrest or another risk. Banks, government agencies, and law enforcement agencies are commonly impersonated personas in vishing scams.

9. Water-Holing

This attack uses advanced social engineering techniques to infect a website and its visitors with malware. The infection is usually spread through a website specific to the victims’ industry, like a popular website that’s visited regularly.

How Does Social Engineering Happen?

Social engineering happens because of the human instinct of trust. Cyber criminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network.

Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor:

  1. Thanks to careful spear phishing research, the cyber criminal knows the company CEO is traveling.
  2. An email is sent to a company employee that looks like it came from the CEO. There is a slight discrepancy in the email address, but the spelling of the CEO’s name is correct.
  3. In the email, the employee is asked to help the CEO by transferring $500,000 to a new foreign investor. The email uses urgent yet friendly language, convincing the employee that he will be helping both the CEO and the company.
  4. The email stresses that the CEO would do this transfer herself, but she can’t make the fund transfer in time to secure the foreign investment partnership since she is traveling.
  5. Without verifying the details, the employee decides to act. He truly believes that he is helping the CEO, the company, and colleagues by complying with the email request.
  6. A few days later, the victimized employee, CEO, and company colleagues realize they’ve been the targets of a social engineering attack, resulting in a loss of $500,000.

White Paper – How to Protect Your Data from Social Engineering

Learn how to detect common social engineering tactics and threats and protect confidential data from cybercriminals.


Examples of Social Engineering Attack Scenarios

Savvy cyber criminals know that social engineering works best when focusing on human emotion and risk. Taking advantage of human emotion is much easier than hacking a network or looking for security vulnerabilities.

The following are some familiar notes successful social engineering attacks hit again and again.

Fear

You receive a voicemail saying you’re under investigation for tax fraud and must call immediately to prevent arrest and criminal investigation. This social engineering attack happens during tax season when people are already stressed about their taxes. Cyber criminals prey on the stress and anxiety of filing taxes and use these fear emotions to trick people into complying with the voicemail.

Greed

Imagine if you could transfer $10 to an investor and see this grow into $10,000 without any effort on your behalf. Cyber criminals use the basic human emotions of trust and greed to convince victims that they really can get something for nothing. A carefully worded baiting email tells victims to provide their bank account information, and the funds will be transferred the same day.

Curiosity

Cyber criminals pay attention to events capturing a lot of news coverage and then take advantage of human curiosity to trick social engineering victims into acting. For example, after the second Boeing MAX8 plane crash, cyber criminals sent emails with attachments that claimed to include leaked data about the crash. The attachment installed a version of the Hworm RAT on the victim’s computer.

Helpfulness

Humans want to trust and help one another. After researching a company, cyber criminals target two or three employees with an email that looks like it comes from the targeted individuals’ manager. The email asks them to send the manager the password for the accounting database – stressing that the manager needs it to ensure everyone gets paid on time. The email tone is urgent, tricking the victims into believing they are helping their manager by acting quickly.

Urgency

You receive an email from customer support at an online shopping website that you frequently buy from, telling you they need to confirm your credit card information to protect your account. The email language urges you to respond quickly to ensure that criminals don’t steal your credit card information. Without thinking twice, you send the information, which results in the recipient using your details to make thousands of dollars of fraudulent purchases.

How to Protect Your Information from Social Engineering Attacks

Though social engineering tactics are common, the examples in this blog post underscore how difficult they can be to spot and, more importantly, resist. Reacting based on human nature pushes many people towards a cyber criminal’s desired outcome.

Because of this, implementing security awareness training that changes behavior and reduces risk is an increasingly important part of many organizational cultural and cyber security metrics. Regardless of where your organization is on its security awareness journey, social engineering courses are a must.

If you’re unsure where to start or are curious about how you can get the most out of your training program, it’s recommended that you give the updated Definitive Guide to Security Awareness a read. Full of expert tips and insight into building learning activities that support a security-aware organizational mindset, it’s ready and waiting for you to enjoy – all you have to do is download it!


 

Cybersecurity Hub

Cyber Security Hub: Access Exclusive Cyber Security Content

Take advantage of our free Cyber Security Hub – it is your one-stop cyber security awareness and knowledge center with one-click access to our COVID-19 Kit, Work From Home Kit, Password Kit, Phishing Kit and more.