When most people think about cybercrime, they picture highly technical hackers with advanced programming skills and a deep knowledge of how computers work.
But as technology advances, it gets easier to thwart these types of attacks automatically.
So these days, more and more cybercriminals are combining their computer engineering know-how with a more sinister type of engineering: social engineering.
What Is Social Engineering?
Social engineering is an attack technique that relies on human error, ignorance, and emotion rather than solely on code, hardware weaknesses, and software exploits.
By using psychological manipulation tactics, attackers can trick unsuspecting people into giving up sensitive information, providing access to private systems, and even transferring money.
- Social engineering attacks involve psychological manipulation, emotional exploitation, and abuse of trust to ensnare victims.
- Many social engineering tactics instill a sense of fear and urgency in the victim, making them more likely to fall for the attacker’s tricks.
- Other social engineering techniques exploit people’s tendency to cooperate and avoid conflict, especially with authority figures.
- Attackers often impersonate trusted individuals, officials, and organizations, taking advantage of preexisting relationships to gain the victim’s cooperation.
- Social engineering attacks may be designed to spread malware, steal sensitive information, gain access to private systems, and/or obtain money directly from victims.
Types of Social Engineering Attacks
There are many forms that social engineering can take, with each one targeting a particular emotion or behavior.
Here are five of the most common versions of a social engineering attack — and what they might look like in practice.
Phishing attacks work by exploiting your sense of fear and security, making you so anxious you abandon rationality.
These attacks involve fraudulent emails or texts that purport to be urgent messages from legitimate sources. They implore you to click a link to change your password, confirm a credit card number, or hand over other sensitive information.
Any information you input is then in the attacker’s hands.
Picture this: you receive an email from your bank telling you that your account may have been compromised. You panic, knowing you need to act immediately — and luckily, there’s a link in the email that you can click to do so.
In a calmer state of mind, you may notice some odd things about the email, like the fact that it’s not from your bank’s usual email address or the weird URL the link takes you to.
But you’re so stressed out by the thought of losing all your money that these inconsistencies don’t even register.
So you enter your bank username and password, hit “submit,” and… you just got phished. Your account wasn’t actually compromised before — but it is now.
Phishers often impersonate banks, government agencies, utility companies, and other large, trusted organizations, allowing them to conduct spam attacks that reach — and trick — many people at once.
But they can also take a more personal approach, impersonating your spouse, colleague or boss to obtain the information they want. This tailored attack is known as spear phishing — and when it’s directed at high-profile targets like CEOs or elected officials, it’s called whaling.
Baiting is a social engineering tactic that exploits the victim’s sense of curiosity, desire, or greed.
It starts with an enticing lure: say, a USB stick labeled “Finances” left in the break room at your office.
You bring the drive back to your desk and, curiosity piqued, decide to see what’s on it.
Unbeknownst to you, the drive actually contains a malware program that’s set to run automatically as soon as the drive is plugged in. It installs itself on your computer before spreading throughout the office network, stealing sensitive files and sending them to the attacker.
Baiting can also take place virtually: you may receive a message telling you you’ve won a giveaway and need to click a link to claim your prize. But the link actually leads to a malware download or tricks you into revealing your social media login info.
Pretexting takes advantage of your willingness to trust and unwillingness to say no. Often, it also exploits your sense of respect towards authority figures.
The attacker assumes a false identity, then approaches you with a backstory to gain your trust and put you at ease. Once you’ve accepted their ruse, they then request sensitive information from you.
For instance, an attacker may claim to be from the tax department, where there’s been a computer error that affected your latest tax return. They apologize and commiserate with you about faulty technology, then ask you for some missing data, like your social security number and gross income.
Or the attacker could dress up as a delivery person with a package that requires a signature and ID verification. When you ask why, they reply that it’s a new policy for high-value packages, so you sign your name and let them write down all the information from your license.
Quid Pro Quo
Like pretexting, quid pro quo attacks use your tendency to trust and cooperate against you. In many cases, they also rely on your lack of knowledge regarding specialized or highly technical matters.
They involve the attacker pretending to be someone with a problem to fix — typically a tech support worker contacting you about “the support ticket you submitted.”
You’ll then be asked to do something to help the attacker “resolve your issue,” like provide a password, type in a command, or grant remote access to your computer. Once you fulfill this request, the supposed “specialist” will be able to fix your problem.
Of course, this won’t actually happen. Whatever task you perform will give the attacker what they want, after which they’ll simply disappear.
Scareware attacks, as the name suggests, prey on fear. Like quid pro quo attacks, they also take full advantage of the average person’s lack of technical expertise.
They start with an alarming hook, using real cybersecurity company logos to look more official: your computer has been infected with malware, your files have been corrupted, or you’ve been caught downloading illegal content.
You’ll lose all of your data unless you download a program to remove the malware or bad files.
This program may cost money to download, or it may be free. Regardless, it doesn’t help you in any way: either it steals your files, installs real malware, or (if you already paid for it) simply does nothing.
Join Our Community
History of Social Engineering Attacks
Social engineering as a concept — the use of psychological manipulation to deceive and steal — has been around since the dawn of society. The classic example is the Trojan Horse that the Greek army used to bait the Trojans, leading to the brutal destruction of Troy.
But social engineering in the digital realm began in the 1990s.
As the internet and email became more widespread, scammers began impersonating AOL employees to steal passwords and billing information from unsuspecting web surfers.
And as corporations, banks and governments went more and more virtual, social engineers expanded both their arsenal of techniques and areas of operation.
Hacker Kevin Mitnick was responsible for many of these innovations. Throughout the late ’80s and early ’90s, he manipulated his way into countless organizations, from Motorola to Pacific Bell to the IRS.
After serving prison time for hacking, Mitnick decided to use his skills for good, informing the public about his tactics. Today he’s considered the “father of social engineering”: the inspiration behind so many cyberattacks as well as one of our best resources for protecting ourselves from them.
Social Engineering By the Numbers
- 90% of all data breaches involve at least one social engineering component
- 75% of cybersecurity professionals consider social engineering to be the most dangerous security threat
- Each year, 85% of organizations experience at least one social engineering attack
- 17% of employees fall for workstation-compromising social engineering attacks
- In 2021, cybercriminals used social engineering techniques to steal $6.9 billion
Famous Social Engineering Attacks
The Buckshot Yankee Attack
In 2008, an unknown attacker dropped several USB sticks in the parking lot of a US military base in the Middle East.
The sticks contained malware called “agent.btz,” designed to steal data from infected computers. One of the sticks was picked up by a curious employee and plugged into a computer connected to the US Central Command system.
From there, the malware spread to computers throughout the Department of Defense, including ones containing classified information. The incident, dubbed “Buckshot Yankee,” was a classic example of baiting — and the most significant US military computer breach ever.
The ILOVEYOU Attack
In the early 2000s, millions of people received an email that appeared to be from a trusted contact, with the alluring subject “ILOVEYOU.” Attached to the email was a love letter contained in a text file.
Many of these people opened the attachment, thinking it was a genuine declaration of love (or a funny prank). However, the “love letter” was actually a worm that deleted files, stole passwords, and used the recipient’s email to further propagate itself, causing over $10 billion in damages.
The Sony Phishing Attack
In 2014, a group of hackers posing as Apple representatives used phishing emails to obtain the Apple IDs of various executives at Sony Pictures.
One executive used the same password for both their Apple ID and their Sony login, allowing the hackers access to Sony’s computer systems.
The hackers, believed to be North Korean, leaked multiple unreleased films as well as salary information, internal emails, and employee social security numbers. All told, they caused over $35 million in damages.
What Is Social Engineering? (Video)
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional