Social engineering is a common technique cyber criminals use to trick individuals into divulging sensitive personal or organizational information. By taking advantage of basic human nature, such as the willingness or desire to trust others, and ensuing behavior most wouldn’t think twice about, social engineering has become the backbone of many types of phishing attacks and other cyber threats.
According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches involved the human element, while social engineering was an integral part of 35% of those incidents. Despite its prevalence, social engineering can be difficult to distill into a single formula.
From phishing emails and vishing attacks where an urgent and official-sounding message convinces victims to act quickly to physical tailgating attacks that rely on trust to gain physical access to a building, they can all start with social engineering.
9 Most Common Examples of Social Engineering Attacks
The most pervasive way of leveraging social engineering tactics, hackers will use deceptive emails, websites, and text messages to steal sensitive personal or organizational information from unsuspecting victims.
2. Spear Phishing
This type of email scam is used to carry out targeted attacks against individuals or businesses. Spear phishing is more intricate than your average mass phishing email, as it requires in-depth research on potential targets and their organizations
This type of attack can be perpetrated online or in a physical environment. The victim usually promises the victim a reward in return for sensitive information or knowledge of its whereabouts.
A category of attacks that includes ransomware, victims are sent an urgently-worded message and tricked into installing malware on their device(s). Ironically, a popular tactic is telling the victim that malware has already been installed on their computer and, if they pay a fee, the sender will remove the software for them.
This type of attack involves the perpetrator assuming a false identity to trick victims into giving up information. Pretexting is often leveraged against organizations with an abundance of client data, like banks, credit card providers, and utility companies.
6. Quid Pro Quo
This attack centers around an exchange of information or service to convince the victim to act. Normally, cyber criminals who carry out these schemes don’t do advanced target research and offer to provide “assistance,” assuming identities like tech support professionals.
This attack targets individuals who can give the criminal physical access to a secure building or area. These scams are often successful due to a victim’s misguided courtesy, such as if they hold the door open for an unfamiliar “employee.”
In this scenario, cyber criminals will leave urgent voicemails to convince victims they need to act quickly to protect themselves from arrest or another risk. Banks, government agencies, and law enforcement agencies are commonly impersonated personas in vishing scams.
This attack uses advanced social engineering techniques to infect both a website and its visitors with malware. The infection is usually spread through a site-specific to the industry the victims operate in, like a popular website that’s visited regularly.
The one common thread linking these social engineering techniques is the human element. Cyber criminals know that taking advantage of human emotions is the best way to steal.
Traditionally, companies have focused on the technical aspects of cybersecurity – but now it’s time to take a people-centric approach to cyber security awareness.
How Does Social Engineering Happen?
Social engineering happens because of the human instinct of trust. Cyber criminals have learned that a carefully worded email, voicemail, or text message can convince people to transfer money, provide confidential information, or download a file that installs malware on the company network.
Consider this example of spear phishing that convinced an employee to transfer $500,000 to a foreign investor:
- Thanks to careful spear phishing research, the cyber criminal knows the company CEO is traveling.
- An email is sent to a company employee that looks like it came from the CEO. There is a slight discrepancy in the email address – but the spelling of the CEO’s name is correct.
- In the email, the employee is asked to help the CEO out by transferring $500,000 to a new foreign investor. The email uses urgent yet friendly language, convincing the employee that he will be helping both the CEO and the company.
- The email stresses that the CEO would do this transfer herself, but since she is traveling, she can’t make the fund transfer in time to secure the foreign investment partnership.
- Without verifying the details, the employee decides to act. He truly believes that he is helping the CEO, the company, and his colleagues by complying with the email request.
- A few days later, the victimized employee, CEO, and company colleagues realize they have been victims of a social engineering attack and had lost $500,000.
White Paper – How to Protect Your Data from Social Engineering
Learn how to detect common social engineering tactics and threats and protect confidential data from cybercriminals.
Examples of Social Engineering Tactics
Savvy cyber criminals know that social engineering works best when focusing on human emotion and risk. Taking advantage of human emotion is much easier than hacking a network or looking for security vulnerabilities.
These examples of social engineering emphasize how emotion is used to commit cyber attacks:
You receive a voicemail that says you’re under investigation for tax fraud and that you must call immediately to prevent arrest and criminal investigation. This social engineering attack happens during tax season when people are already stressed about their taxes. Cyber criminals prey on the stress and anxiety of filing taxes and use these fear emotions to trick people into complying with the voicemail.
Imagine if you could simply transfer $10 to an investor and see this grow into $10,000 without any effort on your behalf? Cyber criminals use the basic human emotions of trust and greed to convince victims that they really can get something for nothing. A carefully worded baiting email tells victims to provide their bank account information, and the funds will be transferred the same day.
Cyber criminals pay attention to events capturing a lot of news coverage and then take advantage of human curiosity to trick social engineering victims into acting. For example, after the second Boeing MAX8 plane crash, cyber criminals sent emails with attachments that claimed to include leaked data about the crash. The attachment installed a version of the Hworm RAT on the victim’s computer.
Humans want to trust and help one another. After researching a company, cyber criminals target two or three employees with an email that looks like it comes from the targeted individuals’ manager.
The email asks them to send the manager the password for the accounting database – stressing that the manager needs it to make sure everyone gets paid on time. The email tone is urgent, tricking the victims into believing that they are helping their manager by acting quickly.
You receive an email from customer support at an online shopping website that you frequently buy from, telling you that they need to confirm your credit card information to protect your account. The email language urges you to respond quickly to ensure that criminals don’t steal your credit card information.
Without thinking twice and because you trust the online store, you send your credit card information and your mailing address and phone number. A few days later, you receive a call from your credit card company telling you that your credit card has been stolen and used for thousands of dollars of fraudulent purchases.
Cyber Security Hub: Access Exclusive Cyber Security Content
Take advantage of our free Cyber Security Hub – it is your one-stop cyber security awareness and knowledge center with one-click access to our COVID-19 Kit, Work From Home Kit, Password Kit, Phishing Kit and more.