In social engineering, attackers trick their victims into doing something. For example, revealing their passwords or other sensitive information, installing malware, or granting them access to systems or locations.
For many people, social engineering is synonymous with phishing and fake emails. But it’s really about human psychology.
Social engineering has evolved into a sophisticated set of techniques to manipulate and exploit human nature. Most of the time, many of us tend to:
- Trust the people we know.
- Respect authority figures.
- Want to help and do a good job.
- Try to avoid trouble and negative repercussions.
Social engineering weaponises these traits against us. For example, the victim receives a fake email from their HR department demanding immediate action on a policy update, or a call from IT requesting a password reset. These messages pressurise them to act by creating a sense of urgency, exploiting their respect for authority, and sometimes threatening unpleasant consequences if they don’t do as they’re asked.
Sometimes, attackers take advantage of people’s sympathy and kindness. For example, by posing as colleagues, friends, or family members in urgent need of help, or as a fake charitable cause.
Alternatively, they may trigger the victim’s curiosity with a subject line such as Confidential: Your Bonus Details.
Workplaces today are often characterised by multitasking and stress. This makes them fertile ground for lapses in judgement. Employees juggling deadlines are less likely to scrutinise a suspicious link or ask a visitor to prove their identity.
Security awareness training courses teach us to always trust but verify. However, when people are under pressure, this principle can easily go out of the window, leaving organisations exposed to risk.
Beyond phishing: The many forms of social engineering
While phishing remains prevalent, attackers have diversified their methods.
Vishing: Pretexting and impersonation over the phone
Vishing, or voice phishing, is social engineering conducted by phone. Fraudsters masquerade as vendors, auditors, or internal support teams, often using spoofed business numbers for credibility.
In credential reset fraud, the attackers trick the victims into giving away their login details under the pretence of refreshing their password.
In vendor invoice fraud and CEO impersonation schemes, attackers pose as senior executives to send fake payment requests to finance teams, who may action the requests without verifying that they’re genuine.
Physical social engineering
In physical social engineering, attackers use deception to gain access to offices, premises, or restricted areas.
In tailgating, they follow employees through security doors by walking closely behind them. In piggybacking, they trick someone into letting them in. For example, by posing as colleagues who’ve forgotten their access passes, or as couriers or maintenance engineers.
Hybrid attacks
In hybrid attack, cybercriminals use a combination of methods or attack vectors. For example, they use social engineering techniques such as phishing emails to deceive victims into installing infostealer malware on their devices.
Increasingly, cybercriminals use social engineering as reconnaissance for later attacks. For example, they steal user credentials and passwords in preparation for an account takeover (ATO) attack.
They also gather data from LinkedIn profiles, social media posts, and even conference attendance lists to build detailed dossiers of information about people. They then use this information to carry out carefully targeted spear phishing or whaling attacks.
B2B supply chain manipulation
In supply chain attacks, attackers impersonate vendors or freight carriers to hijack or reroute shipments of goods.
Baiting and quid pro quo attacks
As their name implies, quid pro quo attacks entice their victims to open malicious links or give away information by offering something in return. Examples include:
- Free software trials laced with malware.
- Infected USB keys left in public places to tempt passers-by to pick them up and plug them into their computers.
- Fake customer surveys that promise gift cards as a reward for filling them in.
Protecting your organisation against social engineering tactics
It’s reported that 68% of data breaches involve a human element (source: Verizon 2024 Data Breach Investigations Report). The threat from social engineering tactics demonstrates how cybersecurity depends on people and their actions as much as on technology.
To protect your organisation, regular security awareness training is vital. Everyone must be aware of the dangers and know how to recognise and report potential phishing and other social engineering attempts.
CTI solutions such as Cybercheck also help by continuously monitoring for exposed credentials and personal data, providing early warning to stop attacks before they breach your defences. This wipes out the cybercriminals’ information advantage.
If cybercriminals are trading information about you or your organisation, we alert you immediately. Knowing that your personal data is in criminal hands means you can take proactive steps to prevent an attack. For example, changing passwords, blocking cards, or locking down access. That means you can shut out the attackers before they make you their next victim.
